Mon, Jul 25, 2022

A CISO’s Guide to Container Security: Understanding Vulnerabilities & Best Practices

Companies are introducing new apps and services to enable remote work, improve supply chains and handle disruptions caused by the pandemic. Our digital-first world thrives on speed and efficiency, and containers play a huge part in getting applications up and running quickly.

Though containers offer many advantages over traditional virtualization, they also introduce significant security risks. Without a container security strategy to mitigate risk, companies can experience the exact problems they are trying to avoid. A breach from a cyberattack will interfere with operations, impact revenue and hurt the bottom line.

Following container security best practices enables chief information security officers (CISOs) and their security teams to get the greatest benefits out of containerization while minimizing the risks that come with it.

The Rewards—and Risks—of Containers

IT departments are embracing containers for several reasons. Containers are smaller, faster and more portable than virtual machines—requiring fewer system resources, taking up less physical space on the server and starting in just seconds rather than the minutes virtual machines (VMs) require to boot up. Containers with various applications can run on the same server without conflicts, again saving resources and reducing need for IT hardware.

Containers are by design “cloud-enabled,” and therefore easy to move on or off premises and run apps on private, public or multi-cloud platforms. These features result in increased agility and efficiency in developing and deploying apps, which enable companies to create and deliver new products and applications to their customers faster and at lower costs than ever before. Containerization has become a key to modern, cloud-based IT strategies that drive innovation and create a substantial competitive advantage.

What Are the Top Container Security Risks?

IT managers are worried about container security for good reason. In a 2022 survey of 300 DevOps, engineering and security professionals, 93% of respondents said they experienced at least one security incident in their Kubernetes environments in the last 12 months, with the incident sometimes leading to revenue or customer loss.

Their very agility and portability create container security vulnerabilities, specifically:

  • The proliferation of containers expands the number of attack surfaces for cybercriminals.
  • The availability of containers in public repositories can lead IT to (mistakenly) assume a container’s validity and security.
  • The multiple layers of the stack—orchestration, containerization platform, individual containers—present more chances for misconfiguration and other lapses in security measures.

Misconfigurations are of the greatest concern to IT professionals. The report highlights that 46% of respondents worry the most about exposures due to misconfigurations in their container and Kubernetes environments—nearly three times the level of concern over attacks.

In one example, criminals breached improperly configured Docker containers. IT had failed to password-protect their management API ports. The hackers installed crypto-mining software and stole Amazon Web Services server credentials. This instance illustrates not only the problem of misconfiguration, but also the failure to effectively isolate containers. Although platforms like Kubernetes offer network segmentation features, IT does not always use them. The result? The entire IT infrastructure of a business is put at risk.

In addition, established enterprises in the midst of digital transformations may try to containerize decades-old legacy applications, many of which were designed before the cloud existed and some of which still run on mainframes. These can be mission-critical, revenue-producing systems, so transitioning them to containers carries an especially high security risk. There may be architectural patterns that are not cloud-friendly. There could also be a lack of institutional knowledge about how the applications work because they were designed so long ago.

How to Put Container Security Best Practices in Place

A sound container security strategy should cover the entire container life cycle, including development, operations, testing and security in a fast, iterative and continuous integration and development pipeline.

Given how fast containers and the cloud operate, DevOps and security teams must come together to introduce security as early as possible. Container security should ensure sourcing known trusted images, managing access, integrating regular security and penetration testing and continuously protecting the underlying infrastructure.

10 Key Features of an Effective Container Security Strategy

  • Verify containers. Require that the IT department verify the security of containers, even those from well-known, trusted sources. (Regularly scan to detect insecure Docker files/images.) Hackers have been known to create malicious containers and place them in known repositories.
  • Undertake container hardening, a very important step to ensure that the containers do not contain unnecessary services.
  • Plan logging carefully. Since most containers are ephemeral, many either do not store logs, or store logs in ephemeral storage, which is destroyed along with the container, making investigation of incidents difficult. Logging should be considered carefully to ensure that security logs are exported to dedicated log servers, or at the very least, persisted to durable storage.
  • Monitor container telemetry to gain further visibility and identify malicious behavior inside containers.
  • Use network segmentation to isolate containers from each other as well as the rest of your IT infrastructure and prevent a container breach from proliferating.
  • Document each container, including source, function and location. Because of their portability and ease of use, as well as the speed at which containerization is proliferating, IT departments can easily lose track of containers. That can be a nightmare if there is a breach.
  • Institute procedures that routinely lock down each level of the environment, including operating system, containers and orchestration software. Regularly patch and update at every level as part of an overall vulnerability management program.
  • Maintain good security practices regarding access. Configure accounts based on least-privilege principles and ensure that unused accounts are quickly deactivated.
  • Require regular penetration tests. One area our team closely examines during penetration testing is checking container environments for issues with secrets management.
  • Harden management APIs. This should include password protection and associated network controls (e.g., firewall, VPN requirements, or as a minimum, IP whitelisting).
Making the Investment in Container Security

While instituting an effective containerization security strategy is crucial, CISOs may need to “sell” security to the C-Suite. CISOs should emphasize to their CEOs and boards of directors the importance of IT security—including containerization security as the company speeds up its digital transformation. They should highlight the cost of a breach in money, time and reputational damage. IBM Security estimated the average cost of a security breach in 2021 at 4.24 million, the highest average total cost in the 17-year history of the report. Numbers like that will help CISOs get more attention to, and more budget for, containerization security.

If you’re interested in learning more about operating smoothly in the cloud or would like to speak to an advisor about your containerization strategy, you can learn more or schedule a meeting here.

Cloud Security Services

Kroll’s multi-layered approach to cloud security consulting services merges our industry-leading team of AWS and Azure-certified architects, cloud security experts and unrivalled incident expertise.

Threat Exposure and Validation

Proactively identify your highest-risk exposures and address key gaps in your security posture. As the No. 1 Incident Response provider, Kroll leverages frontline intelligence from 3000+ IR cases a year with adversary intel from deep and dark web sources to discover unknown exposures and validate defenses.