One of the biggest cloud security threats facing enterprises today is the problem of improperly configured containers, according to experts such as Mike Sprunger, senior manager of cloud and network security at Fortune 500 technology provider Insight Enterprises.
Sprunger noted in an interview that despite warnings to the contrary, many IT teams still fail to limit access to containerized applications, effectively opening access to anyone, including invaders and attackers. Containers are frequently deployed with the default security configurations, which don’t provide enough protection for enterprise security, he observed.
Complicating the problem is that many enterprises don’t use the identity and access management policies that are now available to control access to containerized applications. "Default security configurations are similar to owning a rowboat with a screen door in the bottom," Sprunger quipped.
The knowledge gap surrounding security risks and the blunders it causes are, by far, the biggest threat to organizations using containers, observed Amir Jerbi, co-founder and CTO of Aqua Security, a container security software and support provider. "Vulnerabilities in container images -- running containers with too many privileges, not properly hardening hosts that run containers, not configuring Kubernetes in a secure way -- any of these, if not addressed adequately, can put applications at risk," he warned. Examining the security incidents targeting containerized environments over the past 18 months, most were not sophisticated attacks but simply the result of IT neglecting basic best practices. he noted.
Beyond basic security
Ensuring that container environments conform to enterprise security requirements is the cloud service customer's responsibility -- not the service provider. "There are best practices for container security, such as those outlined in NIST Special Publication 800-190, which provide a good jumping off point for container configurations, but specific measures should be aligned with application requirements," Sprunger said.
While most container environments meet basic security requirements, they can also be more tightly secured. It's important to sign your images, suggested Richard Henderson, head of global threat intelligence for security technology provider Lastline. "You should double-check that nothing is running at the root level."
Unlike traditional, monolithic applications, the orchestrated microservices applications that are typical of containerized environments require security to be built into the entire development and delivery process. "Because of the complexity of the runtime stack, it's impossible to apply security as an afterthought, or rely on network-based and host-based models," Jerbi said. "The ability to automate security into the CI/CD pipeline is crucial for effective security and to prevent regrettable incidents."
Staff should only have access to the applications they actually handle, Jerbi noted. "Additionally, user privilege should be limited and segmented by role," he suggested. For example, the cluster administrator should not be able to disable audit logs. The InfoSec team, meanwhile, should be given visibility into the pipeline and the runtime environments in order to receive security event alerts, yet should not be able to start or stop containers. "Kubernetes has an extensive RBAC (role-based access control) model that can be configured to handle such requirements," Jerbi explained.
Mounir Hahad, head of Juniper Networks' Juniper Threat Labs, advised restricting access to containerized applications in the cloud to DevOps teams. "Even though there are legitimate use cases where others need access for development and testing, that should only be granted on staging environments, not production environments with real, sensitive data," he said.
Identity authentication is important everywhere, but it's not a silver bullet, Henderson warned. "Credential theft and misuse continues to be an ongoing problem." Henderson urged managers to ask themselves if they could tell whether someone was using stolen credentials to access their containerized applications or data. "If the answer is no, you may need to think of additional security controls to plug that gap," he suggested.
Least privilege is, as always, a critical security concept. Identity and access management (I&AM) systems, upstream of all applications, should be deployed to ensure that only authenticated users, including administrators and developers, are taking authorized actions. "All access ... needs to be authorized and logged," stressed Miles Ward, CTO at cloud technology services provider SADA.
I&AM shouldn't be seen as an additional burden, increasing the deployment complexity of cloud applications, Hahad said. "Instead, it should be viewed as an extension to data center or private cloud I&AM, where consistent corporate policies are applied everywhere."
Always remember that containers, while a boon to many developers and IT organizations, are just as susceptible to bugs and vulnerabilities as any other technology tool or platform, Henderson warned. "Keeping that in mind, it means we have to keep our eyes open for threats targeting the underlying products we're using and make patching a critical imperative," he added. "Attackers waste no time exploiting issues that are disclosed."