Guides

Container Security

Container Security: Securing Your Entire Stack

What Is Container Security?

Containers are immutable. This means that each change to the application or microservice involves updating the container image and launching new containers. This type of environment is highly dynamic and requires continuous monitoring, observability, and security.

Container security is a continuous practice, which should be fully integrated into the entire development cycle. By implementing security as an integral part of your continuous deployment cycle, you can mitigate risk and reduce the number of vulnerabilities across a dynamic and complex attack surface.

To ensure efficiency, you should automate manual touch points. This includes not only development tasks, but also those related to the operation and maintenance of the underlying infrastructure. For example, you should protect your build pipeline container images as well as the runtime host, your chosen platform, and all application layers.

In this article:

Securing the Container Stack

The container stack usually consists of container images, containers, a container engine (Docker), container runtime (runC), registries, hosts, and orchestrators. The following are several potential risks affecting the stack, and techniques that can help you overcome them.

Addressing Image Vulnerabilities

Container images are just as likely to have vulnerabilities as any legacy code. To ensure you are not introducing critical issues into the production environment, you should scan images for both vulnerabilities and compliance issues. Vulnerability scanning tools produce a software bill of materials (BOM), which can help identify out-of-date or unwanted software libraries, malicious software (malware), and embedded secrets. You can then correlate risk to individual image layers to ensure you are securely building your images.

Remember that configuration drift—gradual, unplanned changes in configuration over time—can be a huge issue for containers. A scanned image may pass a vulnerability and compliance check today, but may not remain secure in the future. This is because new threat data can identify vulnerabilities in a component that was previously thought to be secure. To prevent this issue, you need to continuously monitor all images and containers.

Securing and Monitoring Container Runtimes

A container runtime is generally considered one of the most challenging components to secure. Traditional security technology was not designed to monitor running containers, so these tools cannot obtain visibility into containers or even establish solid baselines that model a secure container environment.

To secure containers, you need to establish behavioral baselines for your container environment in a normal and secure state. This can help detect and prevent anomalies and potential attacks. Runtime security requires you to focus on securing the application level, rather than relying mainly on network security tools.

Related content: Read our guide to Docker container monitoring

Securing the Registry and Orchestrator

The management stack helps coordinate containers. It includes at least two pieces of infrastructure—a privacy container registry, such as Amazon ECS, and a container orchestrator (Kubernetes).

Container registries simplify the sharing of containers. This helps teams build on each other’s work. However, these containers must be secured, typically through the use of automated scanners that ensure all containers meet development and security baselines.

Automated scanners check each container for known malware, vulnerabilities, and exposed secrets. To reduce issues downstream, the check should run before making the container available in the registry.

To ensure your registry is protected, you need to run it on a secure cloud service or a hardened system. When using a cloud service, you must factor in the shared responsibility model of the cloud and implement your own strong role-based access control (RBAC) for the registry.

Kubernetes is an open-source container management platform that offers a rich set of capabilities. You can define a wide range of policies and then let the platform automatically enforce these operational and security baselines.

Together, the registry and orchestrator enable automated enforcement of a set of container security and quality standards. These standards are applied before and during any redeployment into the environment.

Securing Host Machines

Here are several practices that can help you secure container host machines:

  • Choose a suitable operating system – Ideally, prefer a distributed operating system optimized especially to run containers.
  • Harden the operating system – Implement security measures that protect the operating system. For example, when using stock Linux distributions or Microsoft Windows, you need to disable or remove any unnecessary services.
  • Add a layer of security and monitoring – These tools can help ensure that the host runs as expected. For example, you can use application control tools or an intrusion prevention system (IPS).

Once a container runs in production, it starts interacting with resources and other containers. You should monitor and secure this type of internal traffic by ensuring all network traffic from containers passes through an IPS. However, do not try to implement a small number of large traditional IPS engines on the perimeter. Instead, you should implement the IPS on each host. This allows effective monitoring of all traffic without significantly impacting performance.

The NIST Guidelines for Container Security

The 2017 Application Container Security Guide was created and published by the U.S. Department of Commerce. While this guide is several years old, it can still help teams as they build their container environments. Here are key recommendations from the guide:

Introduce a cultural shift

When first adopting containers, existing culture and development methodologies may be disrupted. Additionally, current practices may not apply to the containerized environment. Introducing containers requires a cultural shift. You should encourage, educate, and train all teams and relevant stakeholders to rethink their coding and operations practices.

Use container-specific hosts

Container-specific host operating systems are designed to be minimal—their sole purpose is to run containers. You can use this kind of host OS to significantly reduce attack surfaces.

Segment your containers

You should segment containers to provide defense in depth. Organizing containers in different network segments can make it more difficult for attackers to move laterally. It can also increase the likelihood that compromises are detected and contained.

Adopt container-specific security tools

Traditional security tools make assumptions that are not aligned with a containerized architecture model. This is why these tools usually cannot detect container vulnerabilities.

To ensure your containers are secure and compliant, you should use processes and tools capable of validating and enforcing compliance with secure configuration best practices for container images. Typically, these tools provide centralized reporting, monitoring for each image, and can prevent non-compliant images from running.

4 Common Container Security Mistakes to Avoid

Here are several common container security pitfalls to avoid:

  • Forgetting basic security hygiene – Containers are generally considered a new technology, which requires the use of new security methods. However, certain security fundamentals still apply. For example, you need to keep all systems patched and up-to-date, including operating systems and container runtimes.
  • Failure to harden and configure tools and environments – Container orchestration platforms offer a set of unique security capabilities. However, to ensure security, you need to properly configure them for each environment. You should never run security configurations using a platform’s default settings. For example, you should grant containers only the privileges needed to run. This can significantly minimize risks associated with privilege escalation attacks.
  • Failure to log, monitor, and test – When you first run containers in production, you might lose visibility into the health of your application and environments. If this occurs and you do not catch the issue in time, you might run into critical risks. This is especially important for highly distributed systems spanning multiple clouds and on-premise infrastructure. You need to make sure you have properly configured monitoring, logging, and testing. This can help minimize the amount of unknown vulnerabilities as well as reduce other blind spots.
  • Failure to secure all phases of the CI/CD pipeline – Do not ignore other components of your software development pipeline. You can avoid this issue by implementing a “shift left” philosophy, which means you implement security early in the development cycle. This often requires consistently applying relevant tools and policies across the pipeline and making changes as needed.

Related content: Read our guide to container security best practices

Container Security with Calico

Calico Enterprise and Calico Cloud offer the following unique features for container security:

  • Encryption – Calico utilizes WireGuard to implement data-in-transit encryption. WireGuard runs as a module inside the Linux kernel and provides better performance and lower CPU utilization than IPsec and OpenVPN tunneling protocols. Calico supports WireGuard for self-managed environments such as AWS, Azure, and Openshift, and managed services such as EKS and AKS.
  • Default-deny – Calico implements least privilege access controls by denying all network traffic by default and only allowing connections that have been authorized. This applies to traffic between microservices as well as ingress and egress outside the cluster.
  • Firewall integration – The Calico Egress Gateway provides universal firewall integration, enabling Kubernetes resources to securely access endpoints behind a firewall. This allows you to extend your existing firewall manager and zone-based architecture to Kubernetes for cloud-native architecture.
  • Egress Gateway – Enforce workload access controls from a firewall outside the cluster.
  • Intrusion detection and prevention (IDS/IPS) – Detect and mitigate Advanced Persistent Threats (APTs) using machine learning and a rule-based engine that enables active monitoring.

Next Steps

Join our mailing list​

Get updates on blog posts, workshops, certification programs, new releases, and more!