ContainerContainer Security

Container security is a complex topic. Many companies rely on Windows Defender, SE Linux and external firewalls to secure their classic IT infrastructure.

At the same time, there is also a lot of shadow IT for which nobody feels responsible and which is often only inadequately secured, for example with the password “1234”. With the use of containers - whether Docker, Kubernetes or OpenShift - the complexity of the IT landscape has increased again and the short life of such containers makes it difficult to check security features. There is also the risk that every user will rely on apparently trustworthy images.

Nevertheless, there are ways of securing containers sustainably and protecting them against attacks and misuse. The implementation of container security starts with the container lifecycle, in which we can differentiate between the phases build, deploy and run. In each phase, we can increase the level of security by looking at which components play a role in each case.

We are happy to support you in the development and implementation of your individual container security strategy via:
 

• Process-related safeguarding of the components involved
• Securing the entire container platform
• Safeguarding the container during operation

During the build phase, it is important to secure the individual components that are involved in the build process.

This can be achieved by using third-party content from trustworthy sources or by using your own private container registry with an integrated vulnerability scan. All containers that you want to use but have not built yourself should be checked for security gaps before use and make sure that you always use containers that you have checked yourself.

Another way to ensure a high level of security during the build phase is automation. Vulnerability scans of container images check that no clear text passwords, root user authorizations etc. have been used. They should definitely be implemented as an integral part of CI/CD pipelines.

In addition, attempts should be made to outsource security-relevant processes to init containers during the pod initialization or to implement services such as Vault as a sidecar container in the pod.
 

• Private container registry for checked containers
• CI / CD pipelines with integrated vulnerability scans
• Avoidance of passwords in clear text or root user authorizations
• Use of init containers for security-relevant processes

In the deploy phase, it is important to secure the container platform accordingly and to ensure that it cannot be attacked.

The choice of the underlying operating system for the container platform can play a major role here. In a Kubernetes or OpenShift cluster in particular, it makes sense that all operating systems can be configured identically and, ideally, rolled out automatically.

When choosing the operating system, an operating system should be chosen which is designed for the operation of containers and which only allows a few system settings to be changed. In addition to the underlying operating system, it should also be ensured that the container platform has a solid role and authorization concept, so that outsiders cannot gain access to the container platform and access is made more difficult for them.

It is also possible to implement single sign-on based on the Active Directory, so that only registered users have access to the system. An important point that should be taken into account when operating the container platform is the implementation of appropriate policies that prevent so-called privileged pods with de facto administration rights from being rolled out on the operating system, as these represent a particularly high security risk.
 

• Choose a container-optimized operating system as the substructure of the container platform with as few system settings as possible (e.g. Red Hat Core OS)
• Configure login to the container platform via single sign-on
• Implement roles and authorization concept for the container platform
• Set up policies that, among other things, prevent privileged pods or the deployment of containers with security gaps

While the first two phases work towards ensuring that the container environment is safe and that there are no security gaps in the container itself, everything is done in the run phase to secure it during operation.

Container platforms rely on the isolation of containers and applications. Using network policies, it makes sense to implement microsegmentation within the software-defined networks in order to restrict access to data and applications and thus protect against potential attacks.

Container platforms such as OpenShift also encrypt pod-to-pod traffic. With the help of sidecar containers, application pods can be equipped with additional logging and monitoring agents that communicate with the central monitoring or logging system and enable real-time evaluations and alerting.

Container platforms also offer threat detection and thus make it possible to react to attacks or atypical behavior of the pods.
 

• Implementation of microsegmentation within software-defined networks
• Encryption of pod-to-pod traffic in service mesh applications
• Implementation of SideCar containers for logging and monitoring
• Use of onboard threat detection mechanisms of the container platforms

The future of application development has already begun with container technology. According to industry experts, application security is increasingly becoming the focus of IT security departments in companies at a time when ever more serious security gaps are occurring in development and operation.

The trend is towards the implementation of zero trust scenarios in which an attempt is made to implement the maximum possible security mechanisms in every phase of the lifecycle. In the build phase, this includes rootless builds, encrypted containers, keyless image signing or a largely automated build process.

The deployment phase will be characterized by the strict separation of clients and container images certified by third parties.

In the run phase, automated service mesh policies will be indispensable in order to secure the complex processes between the pods of an application. In addition, container platforms are becoming more and more intelligent over time and based on application behavior and can suggest appropriate rules or recommendations for action.

We are happy to provide you with know-how, specific support services and associated license and support offers.