In order to manage application infrastructure, administrators rely on containers and tools that empower the DevOps team to package, deliver, and run applications in a way that allows portability, reusability, and automation. These technologies introduce new security issues which need to be carefully considered.
The attack surface for these environments can be quite large, given that containerized applications tend to be complex, being made up of many components that communicate with each other over a network.
The National Institute of Standards and Technology (NIST) provides a starting point and a baseline to assist in the challenging task of being compliant, by publishing the NIST Special Publication 800-190: Application Container Security Guide. It dissects Security concerns and mitigation strategies for each layer of the application stack.
Container images can include outdated and vulnerable versions of software or libraries, faulty applications or hidden malware. If you are using tools to scan for these vulnerabilities, they should be container-aware, facilitating the examination for all of the containerized application layers. Moreover, defectively configured images can be another source of vulnerability. Some of these configurations can be running the container with excessive privileges and storing authentication keys or certificates.
The container registry from where the images are pulled also deserves special attention. NIST recommends pulling images from trusted registries with encrypted and authenticated connections and a continuous maintenance schedule.
Concerning container orchestration, configurations such as data encrypted at-rest, end-to-end network traffic encryption, two-factor authentication, isolated network traffic according to information sensitivity, maintenance of persistent identity for each node, and access scope should provide a secure by default administrative interface.
Container runtimes, like docker and rkt, can themselves contain vulnerabilities that can lead to container escape scenarios. Installing runtime security patches, enforcing secure configurations, and network traffic scanning through application-aware filtering tools should be a high priority for administrators.
Considering the Operating System hosting the containers, NIST advocates running a hardened, container-specific OS. This includes limiting the number of installed components, keeping security patches up-to-date, proper OS configuration, mounting sensitive file systems as read-only, and avoiding data persistence on the host.
On the subject of automation, functions like vulnerability scanning and software updates should be accompanied by a thorough record of roles, owners, and container sensitivity level and a well-defined monitoring system.
The NIST Application Container Security Guide is a great place to start protecting containerized environments and a must-read for IT Security professionals.