When it comes to securing containers one has to consider a holistic approach. Besides the security and integrity of the images one needs to ensure the container infrastructure i.e the container management system such as Kubernetes orchestrator and the virtual machines or hosts where the orchestrator is running are properly secured. Even though the container deployments are generally immutable one still needs to ensure there are no drifts in the runtime security posture of the containers. Basically, container security can be broadly categorized as follows.
- Image assurance
- Infrastructure security
- Runtime security
In this article we discuss these three broad categories of container security and these are being implemented in our flagship HyTrust Cloud Control (HTCC) product version 6.0 that is currently in early access and slated to be generally available in early 2019.
End to End Security for Containers
The focus of Image Assurance is two fold:
- Ensure the images that are being built are properly secured before pushing them into the container registries. For example, during the continuous Integration (CI) phase, make sure proper security controls are in place to scan the images for vulnerabilities and digitally sign the images before placing them in registries.
- During the Continuous Deployment/Delivery (CD) phase, make sure proper security policies are in place to ensure only the relevant images are being allowed to be deployed. For example, you might want to have more stringent policies for production environments running sensitive workloads vs developer environments. Such policies could have rules based on the following:
- Not allow public registries
- Only allow select private registries
- Maintain a whitelist/blacklist of images based on attributes such as version, vendor, content etc.
- Vulnerabilities in the image
2. Infrastructure Security
The infrastructure where the container is running has to be properly secured. The following has to be considered:
- The container management system such as Kubernetes orchestrator has to be properly hardened based on industry best practices such as CIS benchmarks or regulations.
- Proper fine grained access control needs to be implemented on the Kubernetes orchestrator.
- The infrastructure where Kubernetes is running has to be properly secured as well. For example, if Kubernetes is being deployed on AWS make sure the EC2 instances and the corresponding AWS account are properly hardened based on industry best practices such as CIS benchmarks for AWS. In the case of Kubernetes running on vSphere make sure the ESXi hosts are properly hardened. Also, the vCenter has to be suitably protected with proper access control.
3. Runtime Security
Container security will not be complete without proper runtime monitoring to ensure the security posture of the containers hasn’t drifted from its desired state. Basically, you need to consider the following:
- Watch out for new vulnerabilities that may be applicable to already deployed images and take corrective action.
- Protect against unauthorized SSH/exec activity into running containers.
- Baseline the system calls being used by a container and flag if/when drifts happen.
- Have proper network segmentation in place and alert when non standard network activity is detected i.e port scanning, connection to the internet etc.
HyTrust Cloud Control (HTCC) 6.0 provides rich security controls for all the categories discussed above. It is currently in early access and slated for release in early 2019.
Stay tuned for further blogs as we deep dive into the various security controls in HyTrust CloudControl (HTCC) 6.0. Also, if you haven’t already, please take a look at our recent blog on securing a multi cloud environment.