Containers are immutable. This means that each change to the application or microservice involves updating the container image and launching new containers. This type of environment is highly dynamic and requires continuous monitoring, observability, and security.
Container security is a continuous practice, which should be fully integrated into the entire development cycle. By implementing security as an integral part of your continuous deployment cycle, you can mitigate risk and reduce the number of vulnerabilities across a dynamic and complex attack surface.
To ensure efficiency, you should automate manual touch points. This includes not only development tasks, but also those related to the operation and maintenance of the underlying infrastructure. For example, you should protect your build pipeline container images as well as the runtime host, your chosen platform, and all application layers.
The container stack usually consists of container images, containers, a container engine (Docker), container runtime (runC), registries, hosts, and orchestrators. The following are several potential risks affecting the stack, and techniques that can help you overcome them.
Container images are just as likely to have vulnerabilities as any legacy code. To ensure you are not introducing critical issues into the production environment, you should scan images for both vulnerabilities and compliance issues. Vulnerability scanning tools produce a software bill of materials (BOM), which can help identify out-of-date or unwanted software libraries, malicious software (malware), and embedded secrets. You can then correlate risk to individual image layers to ensure you are securely building your images.
Remember that configuration drift—gradual, unplanned changes in configuration over time—can be a huge issue for containers. A scanned image may pass a vulnerability and compliance check today, but may not remain secure in the future. This is because new threat data can identify vulnerabilities in a component that was previously thought to be secure. To prevent this issue, you need to continuously monitor all images and containers.
A container runtime is generally considered one of the most challenging components to secure. Traditional security technology was not designed to monitor running containers, so these tools cannot obtain visibility into containers or even establish solid baselines that model a secure container environment.
To secure containers, you need to establish behavioral baselines for your container environment in a normal and secure state. This can help detect and prevent anomalies and potential attacks. Runtime security requires you to focus on securing the application level, rather than relying mainly on network security tools.
Related content: Read our guide to Docker container monitoring
The management stack helps coordinate containers. It includes at least two pieces of infrastructure—a privacy container registry, such as Amazon ECS, and a container orchestrator (Kubernetes).
Container registries simplify the sharing of containers. This helps teams build on each other’s work. However, these containers must be secured, typically through the use of automated scanners that ensure all containers meet development and security baselines.
Automated scanners check each container for known malware, vulnerabilities, and exposed secrets. To reduce issues downstream, the check should run before making the container available in the registry.
To ensure your registry is protected, you need to run it on a secure cloud service or a hardened system. When using a cloud service, you must factor in the shared responsibility model of the cloud and implement your own strong role-based access control (RBAC) for the registry.
Kubernetes is an open-source container management platform that offers a rich set of capabilities. You can define a wide range of policies and then let the platform automatically enforce these operational and security baselines.
Together, the registry and orchestrator enable automated enforcement of a set of container security and quality standards. These standards are applied before and during any redeployment into the environment.
Here are several practices that can help you secure container host machines:
Once a container runs in production, it starts interacting with resources and other containers. You should monitor and secure this type of internal traffic by ensuring all network traffic from containers passes through an IPS. However, do not try to implement a small number of large traditional IPS engines on the perimeter. Instead, you should implement the IPS on each host. This allows effective monitoring of all traffic without significantly impacting performance.
The 2017 Application Container Security Guide was created and published by the U.S. Department of Commerce. While this guide is several years old, it can still help teams as they build their container environments. Here are key recommendations from the guide:
Introduce a cultural shift
When first adopting containers, existing culture and development methodologies may be disrupted. Additionally, current practices may not apply to the containerized environment. Introducing containers requires a cultural shift. You should encourage, educate, and train all teams and relevant stakeholders to rethink their coding and operations practices.
Use container-specific hosts
Container-specific host operating systems are designed to be minimal—their sole purpose is to run containers. You can use this kind of host OS to significantly reduce attack surfaces.
Segment your containers
You should segment containers to provide defense in depth. Organizing containers in different network segments can make it more difficult for attackers to move laterally. It can also increase the likelihood that compromises are detected and contained.
Adopt container-specific security tools
Traditional security tools make assumptions that are not aligned with a containerized architecture model. This is why these tools usually cannot detect container vulnerabilities.
To ensure your containers are secure and compliant, you should use processes and tools capable of validating and enforcing compliance with secure configuration best practices for container images. Typically, these tools provide centralized reporting, monitoring for each image, and can prevent non-compliant images from running.
Here are several common container security pitfalls to avoid:
Related content: Read our guide to container security best practices
Calico Enterprise and Calico Cloud offer the following unique features for container security: