In their recent research note, Top 10 Security Projects for 2019*, Gartner analysts highlighted ten initiatives that Security and Risk Management leaders should implement or improve in 2019. Container security is on this list.
Among the recommendations, Gartner writes: “Start any container security strategy in development by scanning for known vulnerabilities and configuration issues, and then extend the strategy to runtime protection. More advanced solutions can build a detailed “bill of materials” for each container in development and compare this to what is actually used at runtime, making recommendations where libraries and code can be removed and reducing the surface area for attack.”
It’s great to see Gartner placing such importance on container security. The rate of adoption we’ve seen in the market is accelerating, and a heightened sense of ownership of container issues will ensure that organizations manage their risk before deploying containerized applications in production.
Here are additional recommended best practices to protect your containers from internal and external security threats.Image Assurance
Detect and mitigate security and compliance issues before deployment by allowing only approved images from trusted, signed sources.
Use your CI/CD tools to scan images for known vulnerabilities, embedded secrets, malware, and configuration issues in every build. This will enable you to provide developers with immediate feedback. This will prevent questionable images from being used so you can find and mitigate known vulnerabilities before deployment.
Afterwards, continue to check images stored in your registries for known vulnerabilities on an ongoing basis. Even images that passed the test when built, may have subsequently disclosed vulnerabilities, which now make them risky.
Runtime Protection
Take control of system settings, such as user authentication and authorization, ensuring that your orchestration platform and hosts that run containers are properly configured and hardened. It’s recommended to use a minimal OS (“thin OS”) on servers or VMs that run containers, such as Alpine or Red Hat CoreOS. Follow the best practices for hardening container hosts and Kubernetes described in the benchmarks by the Center for Internet Security (CIS).
Aqua provides controls that automate CIS security checks (certified by the CIS), monitors host activities, and monitors container activities for a variety of suspicious behaviors, such as connecting to external IP addresses with a dubious reputation, port scanning, or “fork bomb” attacks.
Drift Prevention
Containers are meant to run as immutable components. In other words, they should not be patched or changed when running. Instead, they should be refreshed from rebuilt images. Drift Prevention ensures that running containers are immutable and always derived from their approved images.
Aqua compares containers in runtime with their originating images and looks for items such as executables, binaries, and privileges that were not present in the original image. When any deviation is detected, Aqua issues an alert and can automatically block the specific unauthorized process.
Drift prevention is a powerful control that can prevent many types of attacks (even zero-day attacks) that try to manipulate running containers.
Further Reduce the Attack Surface
When you build images using open source components, as many organizations do, the images have capabilities that were designed for general use cases. However, you will only use a small number of those capabilities in any given application. We recommend whitelisting only the capabilities that are actually used. This zero-trust model reduces the attack surface by making unused capabilities inaccessible. Capabilities that aren’t on your whitelist will be blocked automatically.
Aqua uses machine learning to implement whitelists, which can be further tweaked manually (not a “black box”). Since you do not necessarily know which capabilities will be used in advance, machine learning can identify and monitor appropriate container behavior and stop any suspicious activity before it can wreak havoc. Again, Aqua will not allow specific processes that are not on the whitelist.
This will be an interesting year for container security. By following proactive, best practices throughout the development, testing, staging, and production stages, you can make your containerized applications secure by design.
* Gartner, Inc., Top 10 Security Projects for 2019, Brian Reed, Neil MacDonald, Peter Firstbrook, Sam Olyaei, Prateek Bhajanka, 11 February 2019.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.