Sharing of the host operating system kernel is one of the primary benefits of containers, but it’s also the crux of security concerns with containers. Organizations that adopt to the containers usage also need to accept the responsibility for securing them and also be aware of the new container vulnerabilities as the industry discovers them.
Here’s an article that outlines important aspects about Container security:
The kernel is shared among containers and the host. This makes it open to number of vulnerabilities in the kernel.
Since all containers share the kernel resources, restricting its access to certain resources can separate out other containers on the host. Because of this, it results in Denial of Service (DoS) where the actual and legitimate users cannot access a part or an entire system.
It needs be such that an attacker who has got the access to a container should not be able to access containers or the host. Since default users are not included in the container namespace, any process that breaks out of the container will have the same privileges on the host as on the container.
It’s quite difficult to anticipate images you’re using are safe or haven’t been tampered. An attacker can trick you into running an image, and put both the host and data and risk. In some cases, the images you’re running are up to date don’t contain versions of software with known vulnerabilities.
When a container accesses a database or service, it can be something like an API key or any other authentication procedure. In such a case, an attacker who is able to access the API will also have access to the service. This can intensify in a microservice architecture where containers are constantly stopping and starting, compared to the architecture with few numbers of long-lived VMs.
Container Security Issues and Approaches
Most security issues arise from the differences in how VMs and containers function.
Containers are much smaller, efficient compared to VMs. To run an application in a virtual machine, it needs to first to run on a guest operating system, requiring a hypervisor on a server. Here the containers share the host OS kernel with other containers via API calls- which can be an advantage and a security concern at the same time. As you improperly isolate containers and container- you’re welcoming vulnerabilities with the shared OS kernel that can exploit the containers.
Another serious concern lies in securing containers due to their volatile and dynamic nature. There can be thousands of containers created or destroyed in an instant to meet the gap of demand. T
The following security measures, implemented well and managed effectively, can help you secure and protect your container ecosystem.
Vulnerability management in container development lifecycle
By using effective vulnerability management throughout the container development lifecycle, you improve the odds that you can identify and resolve security concerns before they become a more serious problem.
Scan for vulnerabilities before pushing images to the registry
A container image registry is a something that stores container images. It is hosted either by a partner or as a public/private registry . In the final stage of container development, a vulnerability scan on containers before pushing the images to the registry is mandatory.
Continue scanning in the registry
There is always room for new vulnerabilities and so scanning and identifying vulnerabilities needs to be continuous. It should solve a dual purpose identify any flaws that were missed during development and to address any newly discovered vulnerabilities that might exist in the code used in the container images.
Map image vulnerabilities to running containers
Its important to have a means of mapping vulnerabilities identified in container images to running containers to mitigate or resolve security issues.
Permit only approved registries
Use a permit that allows the use of approved container registries.
only the use of approved container registries. This reduces your exposure to risk by limiting the potential for unknown vulnerabilities or security issues.
Container images used in the registry is as important as maintaining the container lifecycle. It’s important to ensure integrity of the container images in the registry and as they are altered or deployed into production.
Least privileges in Container runtime
Least privileges is actually a basic security best practice also applicable to containers. In case of vulnerability exploitation, it gives the attacker access and privileges that’s equal in power compromised application or process. By making sure that the containers operate with the lowest privileges and access reduces your exposure to risk.
Remove unneeded privileges
If there are unused or unnecessary processes or privileges’ from the container runtime, you can remove them to minimize the potential attack surface. Since the privileged containers run as root, a malicious user or workload entering into the privileged container will cause them to become the root on that system.
Whitelist allowable files and executables that the containers can run
Reducing the number of variables can help you maintain a stable and a reliable environment. The containers can be limited in such a way that they can access/run only preapproved or whitelisted files- thus limiting exposure to risk. It’s even better if you whitelist right from the beginning.
By whitelisting, you get a measure of control as you learn what files and executables can cause the application to function correctly. It not only reduces the attack surface, but provides a baseline for anomalies and prevent container breakout scenarios.
Network segmentation on running containers
You can protect containers in one segment from the risks in another segment by maintaining network segmentation (or nano-segmentation) or by segregating between running containers. This can also help in meeting compliance mandates.
Build on the strengths of Kubernetes with Azure
Partner with Tekpros to automate provisioning, monitoring upgrading, and scaling with the fully managed Microsoft Azure Kubernetes Service (AKS). We enable you get serverless Kubernetes, overall a simpler development-to-production experience and an overall enterprise-grade security and governance.
Partner with Tekpros
Azure Kubernetes Service is a powerful service for running containers in the cloud. Best of all, you only pay for the VMs and other resources consumed, not for AKS itself, so it’s easy to try out.
Need help architecting or managing an application on Azure Kubernetes Service? Contact us or learn more about our Azure Migration Service.