Misconfigured Containers Open Security Gaps - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership // Security & Risk Strategy
Commentary
10/18/2019
08:00 AM
John Edwards
John Edwards
Commentary
Connect Directly
Twitter
RSS
50%
50%

Misconfigured Containers Open Security Gaps

Laziness, inattention and poor management practices make containerized applications vulnerable to invasion and attack. Fortunately, establishing strong safeguards is fast and easy.

Image: Coloures Pic - stock.adobe.com
Image: Coloures Pic - stock.adobe.com

One of the biggest cloud security threats facing enterprises today is the problem of improperly configured containers, according to experts such as Mike Sprunger, senior manager of cloud and network security at Fortune 500 technology provider Insight Enterprises.

Sprunger noted in an interview that despite warnings to the contrary, many IT teams still fail to limit access to containerized applications, effectively opening access to anyone, including invaders and attackers. Containers are frequently deployed with the default security configurations, which don’t provide enough protection for enterprise security, he observed.

Complicating the problem is that many enterprises don’t use the identity and access management policies that are now available to control access to containerized applications. "Default security configurations are similar to owning a rowboat with a screen door in the bottom," Sprunger quipped.

Mike Sprunger
Mike Sprunger

The knowledge gap surrounding security risks and the blunders it causes are, by far, the biggest threat to organizations using containers, observed Amir Jerbi, co-founder and CTO of Aqua Security, a container security software and support provider. "Vulnerabilities in container images -- running containers with too many privileges, not properly hardening hosts that run containers, not configuring Kubernetes in a secure way -- any of these, if not addressed adequately, can put applications at risk," he warned. Examining the security incidents targeting containerized environments over the past 18 months, most were not sophisticated attacks but simply the result of IT neglecting basic best practices. he noted.

Beyond basic security

Ensuring that container environments conform to enterprise security requirements is the cloud service customer's responsibility -- not the service provider. "There are best practices for container security, such as those outlined in NIST Special Publication 800-190, which provide a good jumping off point for container configurations, but specific measures should be aligned with application requirements," Sprunger said.

Amir Jerbi
Amir Jerbi

While most container environments meet basic security requirements, they can also be more tightly secured. It's important to sign your images, suggested Richard Henderson, head of global threat intelligence for security technology provider Lastline. "You should double-check that nothing is running at the root level."

Unlike traditional, monolithic applications, the orchestrated microservices applications that are typical of containerized environments require security to be built into the entire development and delivery process. "Because of the complexity of the runtime stack, it's impossible to apply security as an afterthought, or rely on network-based and host-based models," Jerbi said. "The ability to automate security into the CI/CD pipeline is crucial for effective security and to prevent regrettable incidents."

Richard Henderson
Richard Henderson

Limiting access

Staff should only have access to the applications they actually handle, Jerbi noted. "Additionally, user privilege should be limited and segmented by role," he suggested. For example, the cluster administrator should not be able to disable audit logs. The InfoSec team, meanwhile, should be given visibility into the pipeline and the runtime environments in order to receive security event alerts, yet should not be able to start or stop containers. "Kubernetes has an extensive RBAC (role-based access control) model that can be configured to handle such requirements," Jerbi explained.

Mounir Hahad, head of Juniper Networks' Juniper Threat Labs, advised restricting access to containerized applications in the cloud to DevOps teams. "Even though there are legitimate use cases where others need access for development and testing, that should only be granted on staging environments, not production environments with real, sensitive data," he said.

Mounir Hahad
Mounir Hahad

Identity authentication is important everywhere, but it's not a silver bullet, Henderson warned. "Credential theft and misuse continues to be an ongoing problem." Henderson urged managers to ask themselves if they could tell whether someone was using stolen credentials to access their containerized applications or data. "If the answer is no, you may need to think of additional security controls to plug that gap," he suggested.

Least privilege is, as always, a critical security concept. Identity and access management (I&AM) systems, upstream of all applications, should be deployed to ensure that only authenticated users, including administrators and developers, are taking authorized actions. "All access ... needs to be authorized and logged," stressed Miles Ward, CTO at cloud technology services provider SADA.

Miles Ward
Miles Ward

I&AM shouldn't be seen as an additional burden, increasing the deployment complexity of cloud applications, Hahad said. "Instead, it should be viewed as an extension to data center or private cloud I&AM, where consistent corporate policies are applied everywhere."

Takeaway

Always remember that containers, while a boon to many developers and IT organizations, are just as susceptible to bugs and vulnerabilities as any other technology tool or platform, Henderson warned. "Keeping that in mind, it means we have to keep our eyes open for threats targeting the underlying products we're using and make patching a critical imperative," he added. "Attackers waste no time exploiting issues that are disclosed."

John Edwards is a veteran business technology journalist. His work has appeared in The New York Times, The Washington Post, and numerous business and technology publications, including Computerworld, CFO Magazine, IBM Data Management Magazine, RFID Journal, and Electronic ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll