Business security has emerged as a priority issue over the past year and a half, as a larger attack surface, costly ransomware attacks and high-profile breaches affecting energy, government, education and much of the private sector has captured the world’s attention.
Throughout this activity, a key question surrounds the cybersecurity debate: How exactly are containers secure?
A central resource for enterprise computing, containers consolidate core applications and associated configuration files into an image that can be quickly saved and deployed to multiple servers. As long as the code in an image has been properly reviewed and updated, the security risk is low. But when that hasn’t happened, be careful.
A growing body of evidence shows that major segments of the tech industry and government authorities are concerned about container security. In 2018, the Cloud Native Computing Foundation launched a security audit that included an in-depth assessment of its most used project, Kubernetes. The audit found credential exposure, inconsistent policy enforcement, and vulnerabilities in the Transport Layer Security protocol of the Container Orchestration Tool.
In June, Red Hat Inc. released its “Kubernetes Security State Report” based on a survey of more than 500 DevOps developers and engineering professionals, which found that 94% of ‘between them had encountered security issues or container incidents during the previous year. And in August, the National Security Agency took the unusual step of releasing a report with recommendations for hardening Kubernetes container environments.
“Kubernetes can be a valuable target for data and / or computing power theft,” the NSA noted in its findings. “While data theft has traditionally been the primary motivation, cyber actors looking for computational power (often for cryptocurrency mining) are also drawn to Kubernetes to exploit the underlying infrastructure. “
The underlying infrastructure referenced by the NSA appears to be a major concern. Cyber security researchers have discovered a number of container vulnerabilities in recent years, some of which have yet to be addressed.
A container exploit named Dirty Cow, which compromises the Linux kernel, was first discovered in 2016 and is still ongoing, according to a recent report from researchers at Trend Micro. Another exploit that attacks runC, the industry standard container runtime environment, was recently found to be part of a chain of malware that allows attackers to take control of other users’ containers.
There is also a privileged escalation attack threat using Kubernetes. The orchestration tool is designed to have multiple groups of developers involved in various applications that can communicate with the core API. If configured incorrectly, permissions can expand quickly within a cluster.
However, it was not necessarily the technology flaws in Kubernetes and containers that increased the security risk. This is more because the adoption of the tool among many companies is still a relatively recent phenomenon, and it is complicated to set up.
“The most important factor in the potential ease of attacking a Kubernetes-based system is not the underlying technological vulnerabilities; it’s in the simple fact that it’s new, ”according to Shauli Rozen, managing director of ARMO, based in Israel. “Attackers love new systems, which organizations don’t yet know how to configure securely. To top it off, Kubernetes is quite a complex system, and it typically runs microservice-based architectures, which by nature are more complicated, have more APIs, and a proliferation of software artifacts that change continuously, which naturally increases. the attack surface.
Turn to automated solutions
The corporate tech community has responded to concerns about container security by introducing a number of tools, many of which have focused on optimizing automation.
Red Hat Inc.’s solution for creating automated processes that can be deployed as containers is Ansible, and Kubernetes is playing a key role in automating this deployment. Individual actions in Ansible playbooks can be chained into task sequences, which can then be used by security analysts to automate network responses.
Red Hat also partners with security companies, such as Sysdig Inc. and NeuVector Inc., on a variety of container protection solutions. Sysdig recently announced a number of unified security products for the cloud and containers and provides visibility to run applications confidently with OpenShift.
A solution from NeuVector provides automated security for Kubernetes and OpenShift through polling and application at the packet level of the container firewall.
Integration of StackRox and Insights
A discussion of container security would be incomplete without a mention of StackRox Inc. The container security company started in 2014 and made a big bet on Kubernetes two years ago. This concentration paid off when the company was acquired by Red Hat in January of this year.
Prior to the acquisition, StackRox previously revealed that its business grew 240% in the first half of 2020, another data point for the growing interest in corporate container security. StackRox provides automated and on-demand checks for over 300 ongoing compliance assessments and provides visibility into Kubernetes by deploying components directly to the tool’s infrastructure.
Red Hat quickly integrated StackRox into its security solutions platform after closing the deal in February. The company announced a series of app security enhancements in April, largely based on the acquisition. These included Advanced Cluster Security for Kubernetes in OpenShift and Red Hat Quay integration, which allows users to securely store and deploy container images on any infrastructure of their choice.
Red Hat has also taken steps over the past year to integrate Ansible into Insights, the company’s SaaS offering, which has provided users with actionable insights into Red Hat Enterprise Linux environments. With this move, any recommended remediation plan can be executed automatically.
“Securing IT environments, and especially containerized environments, is a formidable challenge,” said Joe Fitzgerald, vice president and general manager of the Red Hat business unit, in an interview with theCUBE, the studio of live broadcast from SiliconANGLE Media. “The complexity and scale of modern application deployments are unmatched in history. We believe Red Hat Insights is a vital addition to the CISO portfolio as it helps IT organizations reduce the number of weak systems in the environment.
There is another important reason why automation will need to play a central role in container security. Today’s cloud application developer wears a second security engineer hat. What’s wrong with this image?
The problem is, effective security is a team sport, and application developers have far too much to do to spend the time necessary to enforce critical security policies. A more realistic approach involves the use of platforms for protecting cloud native applications and managing the security posture of the cloud.
There are already signs that companies are taking a closer look at CNAPs and CSPMs to perform key container tasks, including continuous application analysis and enforcing standardized security policies. It can also accelerate the move towards consolidation and centralization of corporate security controls.
A survey of IT professionals conducted by Enterprise Strategy Group and released in June found that 35% of them have already taken the path to consolidation and that an additional 50% are planned to implement this strategy over the course of the next two years.
“Containers have evolved in terms of capacity and sophistication,” said Dave Vellante, chief analyst at Wikibon, the research arm of SiliconANGLE. “However, their seemingly ubiquitous use has caused organizations to urgently need a secure, governed way to deal with these technology issues. And these are gaps that Red Hat is leading the charge to fill.