Resilient Container Security: How to Achieve it in Three Steps

Written by Christina DePinto, Product Marketing Manager, Tenable Cloud Security.

As your organization grows its cloud adoption, chances are its use of containers is rapidly increasing, too, and with it the need to secure your container infrastructure. But how do you properly and effectively protect your containers?

That’s the topic of this blog series, “Resilient Container Security.” In our first installment, we explained why a preventive strategy grounded in exposure management must be your foundation. In this second part, we detail the three core, concrete steps needed to build a robust container security strategy.

STEP 1: Discover and secure container infrastructure

To secure containers, you first need to detect and find them. Gaining this visibility is the first step in determining your security posture. To find and secure container infrastructure, you must be able to:

• Detect Docker. Docker-detection services make it easy to discover Docker installations on host systems, as well as enumerate all the containers running on those hosts. Many Docker deployments operate unbeknownst to cybersecurity teams, creating a significant blind spot, so Docker detection is an essential step.
• Patch Docker hosts. Next, you need to patch Docker host vulnerabilities. Docker containers share the kernel with the host operating system, which means kernel-level vulnerabilities now gain a whole-new level of significance on Docker hosts. It’s critical to run a comprehensive credentialed patch audit against Docker hosts to ensure they’re up-to-date with the latest patches and security fixes.
• Harden Docker hosts and Kubernetes systems. Finally, harden your container infrastructure to reduce its attack surface. You can do this by:
  • Limiting the number of services running other than the Docker daemon
  • Limiting user access to the Docker daemon
  • Securely configuring core components of Kubernetes

Take advantage of industry best practices, such as the CIS Docker Benchmarks and CIS Kubernetes Benchmarks, which cover configuration, patching, permissions, access and sprawl.

STEP 2: Shift left with security

The next step is to integrate security into your DevOps pipelines so you get comprehensive insight into container security risks and address them prior to deployment. Enable shifting left with security via:

• DevOps integration. Security needs to be an important part of the DevOps process. Just as developers run unit, API and integration testing on software builds, security is another critical quality assurance test before pushing the container code or image to a repository or registry. The security tests must be fast – less than a minute – to avoid blocking or disrupting software development workflows. So, how do you do it?
  • First, take advantage of fully documented APIs to integrate security testing programmatically within your CI/CD build systems. Next, be sure you can import and connect to a wide range of container-image registries to enable continuous protection of images. The importance of connecting to registries is described in Step 3 under continuous vulnerability assessment.
• Automated inspection. Once security testing is integrated into CI/CD build systems, create a complete bill of materials covering all container image layers and components. Gaining visibility into what’s inside a container allows you to perform in-depth vulnerability assessments on each container image and assess container-image source code for malware. Make sure this inspection happens automatically – without manual intervention from security — each time there’s a new build.
• Policy assurance. Enterprise policy assurance helps to certify containers are compliant with organizational risk thresholds before accepting the container image. Create container security policies that align to corporate goals and objectives based on overall risk scores and presence of malware. If a container image exceeds the risk threshold, developers must be notified immediately with layer-specific information to help them take direct action to remediate. Policy violations can trigger alert notifications in bug-tracking tools or emails, or can optionally block specific images from being deployed depending on organization preferences.

STEP 3: Incorporate container security into a comprehensive exposure management program

Finally, ensure container security operates as part of a larger exposure management program to protect your entire attack surface, including traditional IT, public cloud, mobile and IoT. These are the two key capabilities you need:

• An integrated security platform. Containers are but one of an emerging category of assets across the modern attack surface that are disrupting current security approaches and techniques. The last thing cybersecurity leaders want is to manage disparate solutions and multiple tools for different asset classes to protect traditional IT and modern assets. This only creates isolated visibility, excess management overhead and constant reactive firefighting of new threats.
• Continuous vulnerability assessment. New vulnerabilities are identified daily. You can respond to new risks quickly by continuously monitoring a wide range of external vulnerability databases looking for new threats. Automatically retest all your container images in your registries against any new vulnerabilities on a regular schedule. If the newly identified vulnerability is present, provide the vulnerability and remediation details developers need to fix it, so they can push new container images and secure their applications.

About the Author

Christina DePinto joined Tenable in 2022 and is a Product Marketing Manager for Tenable Cloud Security and Tenable's open-source project Terrascan. Prior to joining Tenable, Christina worked at Siemens Digital Industries Software on the industry marketing team focusing on electronics and semiconductor manufacturing.