You are here

The state of container security: Tools, policy trail the technology

public://pictures/Christopher-Null-CEO-Null-Media.png
Christopher Null, Freelance writer

Gartner recently included container security as one of its Top 10 Security Projects for 2019. However, container technology remains something of a mystery to many cybersecurity pros.

That unfamiliarity is complicated by a lack of adequate tools on this front: ESG data says that more than 30% of security pros indicate that their organization's current security solutions don't support containers and that most of the specialized tools available are immature offerings from startup companies.

Jay Chen, senior cloud vulnerability and exploit researcher at Unit 42 for Palo Alto Networks, said the finding was not surprising.

"Most security teams have only started to take notice of containers in the last year despite them being around for a long time. We hear about new container technologies and tools every few weeks, and a lot of them are still under development. Keeping up with all these new tools can be overwhelming and frustrating."
Jay Chen

Here's what top security pros say about how the rapid rise of containers has complicated their jobs—and what steps you can take to improve your organization's container security.

[ Get up to speed fast on the state of app sec and risk with TechBeacon's new guide. Plus: Get the 2019 Application Security Risk Report. ]

A brave and befuddling new world

Container security is inherently complicated because it includes everything from static to dynamic to runtime security, said Jerry Gamblin, principal security engineer at Kenna Security.

When a container security program is built out, it typically ends up being a mirror of the network security model that most organizations have spent years putting together and fine tuning. 

"Container security is in its infancy, and there aren't a lot of precedents yet on the 'right' way to do it, so there are a lot of different tools and approaches."
Jerry Gamblin

Tim Hinrichs, co-founder and CTO of Styra explained that in the containerized/cloud-native/DevOps world, the new model of "everything as code" means that configuration and policy are dictated and automated by the environment and the workloads themselves. "They're not handled by some external box or service," he said.

Just as open source offers many solutions in this new environment—including the containers themselves, the management of those containers, and the automations required to keep things operational, testable, and monitored—security is seeing a strong open-source push also

This allows development teams to implement quickly and achieve great point solutions right away. But because there's no procurement process and little overhead, dev teams can choose solutions without involving dedicated security teams, which usually results in a disconnect.

"The technology across the cloud-native stack is indeed new, which means legacy security tools from 'the approved vendor list' aren't often applicable.The new tools aren’t unproven; they just come from newer names in the security space. Many of these tools have been proven in production over years and in thousands of instances." 
Tim Hinrichs

The rub, he said, is that DevOps teams can and often do make choices more quickly and without necessarily involving multiple teams in IT—and that inherently brings risk.

[ Take a deep-dive with our Application Security Trends and Tools Guide, which includes our 2019 App Sec Buyer's Guide. ]

Containers are not the problem; processes are

Although researchers have discovered a handful of security flaws in Docker and Kubernetes, Palo Alto Networks' Chen said the number of vulnerabilities found in them is still relatively low compared to other open-source projects.

"The majority of the container security incidents are due to configuration mistakes during deployment. Container orchestration platforms are complex and can be daunting to manage for some organizations."
—Jay Chen

With the layers of abstraction and integration built into many tools, it's easy to miss critical settings that put the entire platform at risk. Chen said his company's threat intelligence team recently discovery that deploying containers with default settings can leave them vulnerable to exploits and the leakage of sensitive data.

"Most container tools have built-in security features, but it’s up to the users to enforce these security functions consistently."
—Jay Chen

Styra's Hinrichs said the biggest challenge to container security wasn't posed by the technology or tooling, but rather by a lack of collaboration between development and security. DevOps is proven at this point and has accelerated application delivery in a very real and dramatic way, he said. Operations are automated and efficient in ways "we only dreamed of years ago." 

But DevSecOps, while getting a lot of ink, isn't a mature process yet, he said.

"Lots of true security knowledge is still locked away in IT. Without the tooling and talent to bridge that into the modern development cycle, enterprises run the risk of exposure."
—Tim Hinrichs

Evaluating your container security

Ultimately, container security is no different from network security, Kenna Security's Gamblin said. And organizations frequently deal with the same challenge when it comes to both: The inability to gain a complete view of what is running and why.

Styra's Hinrichs suggests starting this process by asking a few insightful questions:

  • What happens if a bad actor gets access to developer credentials?
  • Where do my policies exist?
  • Are they enforced by automation or by human best effort?
  • Would we know if malicious code was running in our environment?
  • How many ways can workloads talk to the Internet?
  • Can I validate what is out of compliance?
  • Can I stop noncompliant workloads from running?

Answering any of these questions can quickly highlight where risk is high or, conversely, prove where teams have strong control over their environments, Hinrichs said.

If your organization is just starting to use container technology, begin the security process by surveying the teams involved to see what security resources and guidelines they are referencing for their proposed projects, said Bob Peterson, CTO architect for Sungard Availability Services.

"If they are thinking about security before they start, there is a better chance of success. However, if there's a lack of any security references, that's a fairly good indicator that the organization may be facing an increased risk with the technology."
Bob Peterson

And as daunting as tackling a new technology can be, remember that in the long run containers should help, not hinder, your security efforts.

More things can go wrong

Containers can provide a big security benefit, because compromised workloads are theoretically isolated and can often be destroyed and spun back up with little to no impact on production overall, Styra's Hinrichs said.

But since the containerized environment is more complex than yesterday’s monolithic app stack, there are far more places for security to go wrong or for policy to be lacking.

"Securing this new environment still has the same building blocks—network, storage, compute, etc., but deploying security policy in an ephemeral environment takes new technology and a new set of skills."
—Tim Hinrichs

[ Get Report: Gartner Magic Quadrant for Application Security Testing 2019 ]