Gartner: How-To Guide on Securing Containers

This is the third article of a three-part blog series reviewing Gartner Security & Risk Management Summit 2019. Don’t forget to read article one titled Gartner’s Top 10 Security Projects for 2019 - Container Security Makes the List, and article two titled Gartner on Securing Cloud-Native Apps.

We’ve been sharing the highlights of Gartner’s recent Security conference – the inclusion of container security in Gartner’s list of Top 10 Security Projects for 2019 and Best Practices for Securing Cloud-native Apps.

Here we pick up the conversation with more detailed “how to” advice on securing containers by analyst Anna Belak. Anna started her talk by noting that separating the application layer from the infrastructure layer inherently has security implications and that the few noteworthy container breaches that have occurred have all derived from misconfiguration. She went through the steps of deploying images to highlight eight discrete threat vectors along that path and then categorized the mitigation steps needed into three buckets:

  • securing container images
  • securing Kubernetes
  • securing containers at runtime

Threat Vectors in Container Deployment

In laying out her detailed view of the automated process for deploying containers, Anna called out the threat vectors at each step:

  1. development system – where Dockerfiles are created
  2. Git-based repository – where related images reside
  3. dependencies retrieval – where images fetch other elements they need to operate
  4. image registry – where images are hosted and distributed
  5. Kubernetes – the orchestrator, which Anna noted is both software and infrastructure
  6. host-container relationship – how the container communicates with the host it’s running on
  7. rapid rate of change – the fast iteration itself introduces risk
  8. microservice communications and network segmentation – broader communications between assets making up the overall microservices

Enabling protections at each of these steps requires a combination of processes and new security tooling, Anna said, and they need to fit into the automation that DevOps demands.

Gartner Report: Market Guide for Cloud Workload Protection Platforms (CWPPs)

Learn about Gartner's recommendations and best practices for protecting cloud-native applications

Download Now

Securing Container Images

To highlight the risk at this phase, Anna referred to a 2017 study on security vulnerabilities on Docker Hub, which found that of its 3,802 official images, each had an average of 127 vulnerabilities, and exactly zero images had no known vulnerabilities.

She highlighted the process of deployment – from the base image, to the enabling layers, to the application layer, to the production image. Across the steps, Anna recommended the following best practices:

  • Curate a collection of trusted, vetted images that are customized to meet specific needs
  • Task specific people with maintaining these images, ensuring they are frequently scanned for vulnerabilities and rebuilt as new versions are released
  • Store all images containing proprietary content in a secure, private registry

Here at StackRox, we recognize that following basic DevOps good hygiene is a crucial step to securing your container and Kubernetes infrastructure, so our Policy Engine includes many out-of-the-box policies that pertain to these exact tasks, ensuring images that don’t meet these standards can’t successfully be built and assessing risk for those assets that are deployed.

Securing Kubernetes

Anna continued her discussion by highlighting all the elements of Kubernetes that need protection and shared steps to take to improve security in each area.

  • servers: use a lightweight and hardened host OS, and never patch it – just start over if there’s a problem
  • containers: scan them and isolate them – then make sure there’s no drift
  • secrets: secrets management is still hard, she noted – “people like to push passwords around”
  • orchestration control plane: ensure you’re using the latest version because security enhancements keep coming
  • identity and access: enable RBAC on Kubernetes and integrate with identity and access management systems – least privilege really matters here
  • network: use certificates and apply segmentation policies – remember that Kubernetes is a “default allow” platform, so you need to go in and turn off all those open paths

Securing Containers at Runtime

Anna rounded out her talk by discussing how to use secrets management, network segmentation, and behavioral controls to protect your cloud-native infrastructure at runtime.

For secrets management, she stepped through the sequence of actions for containers to access an asset such as a database server. She recommended that secrets – including database credentials, API authentication tokens, TLS certificates, and encryption keys – should never be hard coded.

For network segmentation, she reminded the audience that by default, all your containers can talk to each other and to the outside world, so you need to create policies that limit these communications. Since those policies reside in YAML files, look for network segmentation features that can help you

For behavioral controls, she highlighted StackRox and some of our friends in the industry for our ability to:

capture container processes

provide behavioral analysis engine with machine learning

establish baselines via container profiling and traffic analysis

alert on anomalies

use explicit allow lists to microsegment workloads

Putting it All Together

To sum up Anna’s insights, she detailed the capabilities inherent in containers and Kubernetes but made it clear how much configuration management and other conscious steps DevOps and Security teams need to take to turn on and appropriately use these controls. She also made it clear that a new generation of security tooling is essential to effectively protecting this application development infrastructure. Following these practical steps to securing the images, securing Kubernetes, and protecting your assets at runtime will help you secure your container workloads.