Five Recommendations for Securing Cloud Containers
Understanding the impacts of virtualization on security is fundamental to properly architecting and implementing cloud security. In this blog, we will be discussing best practices to secure application containers.
What are containers?
Containers are highly portable code execution environments. To simplify, a virtual machine is a complete operating system, all the way down to the kernel. A container, meanwhile, is a virtual execution environment that features an isolated user space, but uses a shared kernel. Such containers can be built directly on top of physical servers or run on virtual machines. Current implementations rely on an existing kernel/operating system, which is why they can run inside a virtual machine even if nested virtualization is not supported by the hypervisor. (Software containers rely on a completely different technology for hypervisors.)
Software container systems always include three key components:
- The execution environment (the container).
- An orchestration and scheduling controller (which can be a collection of multiple tools).
- A repository for the container images or code to execute.
Together, these are the place to run things, the things to run, and the management system to tie them together.
Are containers secure?
Containers are rapidly evolving, which complicates some aspects of security, but doesn’t mean that they are inherently insecure. You can read more about the key challenges of securing application containers in this publication.
Containers don’t necessarily provide full security isolation, but they do provide task segregation.
That said, virtual machines typically do provide security isolation. Thus, you can put tasks of equivalent security context on the same set of physical or virtual hosts in order to provide greater security segregation.
Container management systems and image repositories also have different security capabilities, based on which products you use. The security team should learn and understand the capabilities of the products they need to support. Products should, at a minimum, support role-based access controls and strong authentication. They should also support secure configurations, such as isolating file system, process, and network access.
A deep understanding of container security relies on a deep understanding of operating system internals, such as namespaces, network port mapping, memory, and storage access. Different host operating systems and container technologies offer different security capabilities. This assessment should be included in any container platform selection process.
What do you need to keep in mind when securing containers?
Assure the security of the underlying physical infrastructure (compute, network, storage). This is no different than any other form of virtualization, but it now extends into the underlying operating system where the container’s execution environment runs.
Assure the security of the management plane, which in this case are the orchestrator and the scheduler.
Properly secure the image repository. The image repository should be in a secure location with appropriate access controls configured. This is both to prevent loss or unapproved modification of container images and definition files, as well as to forestall leaks of sensitive data through unapproved access to the files. Containers run so easily that it’s also important that images are only able to deploy in the right security context.
Build security into the tasks/code running inside the container. It’s still possible to run vulnerable software inside a container and, in some cases, this could expose the shared operating system or data from other containers. For example, it is possible to configure some containers to allow not merely access to the container’s data on the file system but also root file system access. Allowing too much network access is also a possibility. These are all specific to the particular container platform and thus require securely configuring both the container environment and the images/container configurations themselves.
CSA’s 5 Recommendations for Securing Containers
- Understand the security isolation capabilities of both the chosen container platform and underlying operating system then choose the appropriate configuration.
- Use physical or virtual machines to provide container isolation and group containers of the same security contexts on the same physical and/or virtual hosts.
- Ensure that only approved, known, and secure container images or code can be deployed.
- Appropriately secure the container orchestration/management and scheduler software stack(s).
- Implement appropriate role-based access controls and strong authentication for all container and repository management.
You can read more recommendations for securing containers in this publication. If you’re interested in learning more about application containers and microservices you can also visit our working group page.