Containerized Apps: An 8-Point Security Checklist
Here are eight measures to take to ensure the security of your containerized application environment.
June 14, 2018
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltb0b0068b51b96e94/64f0d6e212374c3c6fb08dc3/01-containerrisk.jpg?width=700&auto=webp&quality=80&disable=upscale)
Containers allow applications to be abstracted from the underlying infrastructure on which they run. They give developers a way to package applications into smaller chunks that can run on different servers, thereby making them easier to deploy, maintain, and update.
But securing containerized applications requires a somewhat different approach compared with securing traditional application environments. That's because they are a bit harder to scan for security vulnerabilities, the images on which they are built are often unverified, and standardization in the space is still evolving. Importantly, containers also can be spun up and down quickly, making them somewhat ephemeral in nature from a security standpoint.
"Even though container technology may be a new concept to companies deploying them, the idea behind them should be familiar," says Kirsten Newcomer, senior principal product manager, security at Red Hat.
Organizations need to think about security through the application stack both before deploying a container and throughout its life cycle. "While containers inherit many of the security features of Linux, there are some specific issues that need to be considered when it comes to the model," Newcomer says.
Following are eight items that need to be on any organization's security checklist when deploying containers.
Just like you have controls for securely managing secrets such as passwords, API keys, and tokens in other application environments, controls also are needed for managing them in a container environment.
"Many containerized applications need access to sensitive information, such as username and password," Red Hat's Newcomer says. So you need a container platform that has the ability to support capabilities like encrypting secrets by default, automatically retrieving and injecting secrets when a container is started, and preventing containers from accessing secrets in other containers.
You need to be able to trust the base images on top of which you are building your container applications. That means you need to know about where the images came from, the code on which they were built, how and where it was created, what software it runs, and whether the images have any security issues.
"The container image is the foundation of your applications in production," says Joe Brockmeier, senior evangelist for Linux Containers at Red Hat. "The first and possibly most important thing that organizations need to do is to ensure they're getting trusted, verified, and supported base container images to start with."
Be aware of any security issues that might have been in the code before you can trust your images. "Container images are often downloaded from untrusted sources or have not been curated by the enterprise," says Hari Srinivasan, director of product management at Qualys. "It is important for enterprises to manage and check for image integrity."
Container and container orchestration tools can make it harder for security teams to keep track of application communication flows and potentially end up exposing applications to risks that might otherwise have been caught.
So any toolset an organization uses must enable visibility into the processes within and between containers, says Dave Klein, regional director of sales engineering at GuardiCore. The visibility is critical to ensuring the organization understands the container process workflow, he says.
"This visibility must extend itself into container orchestration, such as Docker, Kubernetes, and OpenShift. This visibility leads naturally into process dependency mapping, policy creation, and enforcement," Klein says.
A mix of container configurations with their own security bugs might expose IT environments to higher risks of breaches and potential loss of sensitive information, Qualys' Srinivasan says. So organizations looking to deploy containers need to ensure standardized configurations and deployment processes.
"As part of this, it is important that organizations introduce compliance-as-code measures to check for CIS standards for Docker Host deployments," Srinivasan says.
Organizations need to also ensure they have tools that are integrated into DevOps and offer an API for working with both developers and DevOps teams. "Finally, it is critical that organizations starting to secure containers collect metadata and logs specific to container deployments, and be able to understand new orchestration environments like Kubernetes," Srinivasan says.
In order to secure your container environment, you need to be able to discover and track container use across the enterprise. You need to have controls for detecting potential problems, such as resource bottlenecks and vulnerabilities.
Organizations also need effective vulnerability management, compliance practices, and container native intrusion detection/prevention, Qualys' Srinivasan says.
If you want to reduce the attack surface of your container environment, don't use a general-purpose operating system, says NIST. Rather, use a container-specific OS, which is minimalist in nature and designed to run only in containers with all other extraneous functions and services disabled. This minimizes the opportunities available to an attacker to compromise an OS.
Prioritizing critical container risks is vital to effective security, says Ali Golshan, co-founder and CEO of StackRox. Data from vulnerability scans, secrets management, orchestration settings, service configurations, user privileges, and registry metadata can provide a lot of information and context on threats to your container environment. Use the data to pinpoint the greatest exposures in your environment so that developers can focus on them when building container applications, Golshan says.
Running applications of different threat postures on a single host OS kernel heightens risk for all apps. So it is better to group containers "with the same purpose, sensitivity, and threat posture," NIST says. Segmenting containers this way can provide defense in depth by preventing an attacker who might manage to compromise one group of containers from expanding his attack, according to NIST.
Running applications of different threat postures on a single host OS kernel heightens risk for all apps. So it is better to group containers "with the same purpose, sensitivity, and threat posture," NIST says. Segmenting containers this way can provide defense in depth by preventing an attacker who might manage to compromise one group of containers from expanding his attack, according to NIST.
Containers allow applications to be abstracted from the underlying infrastructure on which they run. They give developers a way to package applications into smaller chunks that can run on different servers, thereby making them easier to deploy, maintain, and update.
But securing containerized applications requires a somewhat different approach compared with securing traditional application environments. That's because they are a bit harder to scan for security vulnerabilities, the images on which they are built are often unverified, and standardization in the space is still evolving. Importantly, containers also can be spun up and down quickly, making them somewhat ephemeral in nature from a security standpoint.
"Even though container technology may be a new concept to companies deploying them, the idea behind them should be familiar," says Kirsten Newcomer, senior principal product manager, security at Red Hat.
Organizations need to think about security through the application stack both before deploying a container and throughout its life cycle. "While containers inherit many of the security features of Linux, there are some specific issues that need to be considered when it comes to the model," Newcomer says.
Following are eight items that need to be on any organization's security checklist when deploying containers.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024