15 Tips for a Run-time Container Security Strategy

There have been many recent discussions on container security, but mostly focus on image scanning or host security and OS. Today we going to talk about 15 Tips for a Run-time Container Security Strategy. The lack of enterprise security tools for the former has led people to focus too narrowly. It’s like an old saying “when all I have is a hammer, it all looks like nails.”

Security is often neglected when trying to get new technology in production, so any security focus on the container is definitely something positive.  Container images need to be scanned before turning them into enrollments and images must be digitized at the time of construction.

Experienced and professional DevOps knows that threats in the container environment are mostly in the virtual or single OS server environment. And there are additional weaknesses introduced by container placement. It has not yet been reported the specific vulnerability of the reported container, but here are some of the threats to be noted:

General Container Threats

• Application level DDOS and xss against public facing containers
• Compromised containers trying to ‘phone home’ to download malware
• Compromised containers trying to scan other internal systems to find other weakness or search for sensitive data
• Container breakout and unauthorized access across containers, hosts or data centers
• Container resource hogging, eating up CPU/Mem/Disk/IO to impact or even crash other containers
• Live patching of applications which bring in malicious processes from a hijacked DNS or other service
• Network flooding from poorly designed applications impacting other containers

Container Attacks – Examples

• SQL injection attack gaining ownership of a database container to start stealing data
• The shell-shock bash bug allowing remote attackers to execute arbitrary code inside a container
• The heart-bleed bug causing container’s memory to be leaked and analyzed
• The glibc stack-based buffer overflow caused by a man-in-the-middle attack
• A new zero-day attack on a container causing a persistent threat

So what’s the best strategy for run-time container security? Here are 15 tips for securing containers during run-time. I’ll start with some of the preparations that I mentioned before, then get into more advanced capabilities.

Preparing for production

1. Secure the OS, ‘hardening the OS,’ trim all unnecessary modules and files, and keep up with latest security patches

2. Secure the container platform

3. Prevent unauthorized access, customize and specify the security profiles

4. Vulnerability scan containers in all registries

5. Digitally sign or do integrity checks on container images

Basic Run-time Container Security

6. Secure the data center – firewalls/IDS/IPS/WAF/white-listing… at the gateway or entry point to reduce the chances of being attacked by traditional means

7. Tear down and clean up unused containers frequently, shortening the run-time window when a container could be attacked

8. Load application containers in read-only/non-persistent mode to reduce risks

Advanced Run-time Container Security

9. Isolate or segment running containers into the minimum working zone by service or application to reduce the attack surface

10. Monitor for attacks against containers in real-time including application layer threats

11. Monitor container behavior for violations, paying attention to any abnormal application behavior*

12. Block unauthorized access to containers automatically when certain that it’s abnormal*

13. ‘Live scan’ every running container for vulnerabilities to secure the image in use, even when new containers spawn

14. Automate security policy to be sure protection scales automatically as containerized apps scale up and down, or across hosts/data centers

15. Conduct offline analysis of the security events collected to correlate events and store forensic data for containers.

*These require that you first have visibility into what is ‘normal’ application behavior, and have properly mapped it out and have created a security policy to enforce authorized behavior.

Feel free to contact E-SPIN for the solution for your system and operation to reduce risk of your businesses  and organization. We can secure and protect your businesses with our various software security technology as well as solution for container security.