Awareness of the dangers, general cyber security principles, and special defensive measures ensure more secure data and processes.
Many companies now use containers they have developed themselves or provided by cloud service providers to implement applications and processes in an agile, fast and flexible manner. However, containers are nothing more than executable applications and a potential security risk. In addition, the servers that host the containers and the registries extend the IT attack surface. Every organization is therefore well-advised not to neglect this new danger zone.
If you want to understand and manage the additional risks posed by containers, you first need to know the basics of container security IT. These are not always known. So what is a container, or rather: how is it built? Every developer – whether in the company or at the service provider – who makes a container takes those images that he needs for his functionalities from a central registry with processes and bundles them into his dedicated mini-application, which ideally is as lean as should be possible.
These registries as building blocks of the new containers are either public or proprietary to the company or cloud service provider. To guarantee resilience if a container fails, the developers redundantly combine containers in clusters: the other takes over its task if one container fails. These clusters are orchestrated, automated and managed via platforms such as Kubernetes.
Risk Factor Portability
The containers as a cluster group can be ported anywhere and used as desired. This cornerstone for agile processes and applications is a decisive argument and, at the same time, a risk factor for using the container. If an image from a registry has a vulnerability, this is also distributed.
Taking into account the structure and use of the containers, there are four areas of container security:
- · the registry from which a user obtains the images for the container;
- · the container runtime;
- · the container host; and
- · the level of container orchestration.
Attackers find their ways to access it. It doesn’t matter how they get access to the network or start their illegal journey in the attacked IT. They get to their destination thanks to sideways movements from any endpoint in the destination network. Once there, they can compromise the registry, the container host with their images, or the clusters with multiple redundant images, or repurpose legitimate images for their purposes. However, it is often also about access to computing resources, which the attackers want to use for their purposes, such as crypto mining or services.
IT security officers should protect the four theaters of container security using the following methods:
Risk Arena 1: Control Images
When using the images – as when using software – caution is required, regardless of whether they come from a public or a private registry, because cybercriminals can target the registry with their attacks. After that, users obtain seemingly legitimate or maliciously manipulated images for download.
Countermeasure: IT managers should only access checked and updated images from a secure source to ensure sufficient security. A slim design also reduces the dangers: Only those containers are on board that a company needs for a process. Once images have been downloaded, updates and checking for reported security risks are part of an administrator’s job specification.
Risk Arena 2: Keeping An Eye On The Container Runtime
If attackers control the runtime of a container, they have numerous and potentially fatal avenues open to them. They can freely port a vulnerability within the corporate network and run their commands there. If they want, they can use a legitimate image – such as an entire Ubuntu operating system – as a backdoor container. They also gain access to a host through a container.
Countermeasure: A robust protection of the container runtime monitors the processes in a container and the associated cost. Regular image updates maintain security.
Risk Arena 3: Securing The Container Host
If cybercriminals gain access to the container host environment, they have access to all processes controlled from there. Also, they can now run their containers due to the vulnerabilities of the container servers or the container runtimes.
Countermeasure: Linux distributions that were specially developed for operating containers are recommended. Each host server also requires its security control. Equally important is the quick response to newly disclosed vulnerabilities. General guidelines for a secure configuration of operating systems also promote security – if you stick to them.
Risk Arena 4: Container Orchestration
Attackers also want to administrate the container clusters and thus access attack targets directly. The cluster layer gives them enormous reach: Access data for a Kubernetes cluster in a public cloud is the key to manipulating the entire collection of service providers. This may not apply to large providers, but it applies to smaller providers. An externally exposed orchestration dashboard becomes a backdoor to manage clusters remotely without authorization.
Countermeasure: Role-based access controls and economical assignment of rights reduce the risks. Hosters or IaaS providers should not be able to change anything in the existing containers without the consent of the cloud customers. In addition, security benefits from secured communication between the pods on a Kubernetes cluster shared by different applications.
A New Danger Scene Requires A New Risk Awareness
Container security starts with becoming aware of the resulting new dangerous situation. Anyone who has gained an understanding of this can use suitable measures to avert danger and increase the safety of the containers. And just as hackers transfer all mechanisms and motives for their attacks from average IT to containers, IT defence should also apply classic IT security rules of conduct to containers: vulnerability control, patching, automated security, and guidelines and training for all those involved. A zero-trust approach also offers valuable protection. Modern IT security platforms also use Endpoint Detection and Response (EDR) solutions and Managed Detection and Response (MDR) services for a layered defense.
Also Read: How Can Banks Improve Their Cybersecurity?
