Container technology adoption has experienced a rapid upward surge over the past few years. But now that it has gained a serious foothold in the enterprise, questions are beginning to arise about container security.
Perhaps the fundamental question is, just how secure are containers?
Stop Assuming You’re Protected
Most seem to think containers are secure; that they somehow contain magical powers when it comes to malware protection. But Dan Walsh, a Senior Engineer at Red Hat, says IT managers need to stop assuming that Docker and the Linux kernel protect you from malware.
Unfortunately, few appear to have heeded that warning. The 2021 Cloud Native Security Survey by Aqua Security found only 3% of respondents recognized that a container, in and of itself, was not a security boundary. Only 24% of respondents had plans in place to deploy the necessary building blocks for runtime security.
The default security capabilities of containers are overestimated.
And despite reports showing the increased sophistication of cloud-native attacks, only 18% of respondents realized they are at risk for zero-days in containerized environments. This indicates that the default security capabilities of containers are overestimated by many.
“When practitioners fail to implement a holistic approach with protecting their workloads at runtime, they are opening up their environments to attackers, since even the most complete ‘shift left’ vulnerability and malware detection cannot prevent zero-day attacks and administrator errors,” said Amir Jerbi, cofounder and CTO at Aqua.
Containers Are Not a Strong Security Boundary
Part of the confusion on container security may be due to the concept of what constitutes a security boundary. “A security boundary provides a logical separation between the code and data of security domains with different levels of trust,” according to Microsoft. “For example, the separation between kernel mode and user mode is a classic and straightforward security boundary.”
Red Hat believes that while containers provide some access restrictions, they cannot be considered a strong security boundary. Cybercriminals can negotiate their way around these restrictions.
Read more: How to Create a Disaster Recovery Plan
What many in IT fail to realize is the various container runtime security layers don’t overlap precisely. Some gaps remain, which make it relatively straightforward to bypass container isolation.
Differences between popular container environments such as Docker and Kubernetes can also confuse IT. A safeguard may be available on one platform, but disabled by default in another. Thus, there is no room for complacency when it comes to container security.
According to Aqua, attackers have become proficient in hiding their methods and evading techniques such as static scanning as container-based environments have become more prevalent and more dangerous. Aqua numbers show honeypots being attacked 17,358 times over a 6-month period, a 26% increase compared to the previous six months.
Supplement Container Security With DiD
Aqua recommends the implementation of holistic cloud-native security — including runtime protection — to protect against attackers who evade detection and have access to a production environment.
“Holistic cloud-native security is not just about runtime security or any other one focus area, it is about ensuring the entire application lifecycle is covered, from the build to the infrastructure and the workloads,” said Jerbi.
Containers offer some security protections, as do firewalls. But no one is foolish enough to rely on a firewall.
Like everything else in security, the sensible approach is defense in depth (DiD). Containers do offer some security protections, as do firewalls. But no one in IT is foolish enough to rely solely on a firewall. Nor should they be naïve enough to trust everything to the built-in security features of containers.
Just as everyone had to learn that the security provided by cloud providers was not foolproof, so people are learning to supplement container security with a standard DiD approach to comprehensive security.