Container Security: Top 5 Best Practices for DevOps Engineers

Containerization has resulted in many businesses and organizations developing and deploying applications differently. A recent report by Gartner indicated that by 2022, more than 75% of global organizations will be running containerized applications in production, up from less than 30% in 2020. While containers come with many benefits, they certainly remain a source of cyberattack exposure if not secured properly.

Previously, cybersecurity meant safeguarding a single "perimeter." By introducing new layers of complexity, containers have rendered this concept outdated. Containerized environments have a lot more abstraction levels, which necessitates the use of specific tools to interpret, monitor, and protect these new applications.

‍

What is container security?
Top 5 container security best practices
Conclusion

‍

What is Container Security?

Container security is the use of a set of tools and policies to protect containers from potential threats that will affect an application, infrastructure, system libraries, run time, and more. Container security involves implementing a secure environment for the container stack which consists of:

Container image
Container engine
Container runtime
Registry
Host
Orchestrator

Most software professionals automatically assume that Docker and Linux kernels are secure from malware, an assumption that is easily overestimated. Considered part of the DevSecOps practice which you should read about as we covered the topic in this blog article.

‍

Top 5 Container Security Best Practices

Host and OS Security

Containers provide isolation from the host although they both share the kernel resources. Often overlooked, this aspect makes it more difficult but not impossible for an attacker to compromise the OS through a kernel exploit so they can gain root access to the host.

Hosts that run your containers need to have their own set of security access in place by making sure the underlying host operating system is up to date and is running the latest version of the container engine. Ideally, you will need to set up some kind of monitoring to be alerted for any vulnerabilities on the host layer. Additionally, choose a “thin OS” which will not only speed up your application deployment, but also reduce the attack surface by removing unnecessary packages and keeping your OS as minimal as possible.

Essentially, in a production environment, there is no need to let a human admin SSH to the host to apply any configuration changes. Instead, you should manage all hosts through IaC with Ansible or Chef for instance. This way, only the orchestrator can have ongoing access to run and stop containers.

Container Vulnerability Scans

Regular vulnerability scans of your container or host should be carried out to detect and fix potential threats that hackers could use to access your infrastructure. Some container registries provide this kind of feature when your image is pushed to the registry, it will automatically scan it for potential vulnerabilities.

One way you can be proactive is to set up a vulnerability scan in your CI pipeline by adopting the “shift left” philosophy, which means you implement security early in your development cycle. Trivy would be an excellent choice to achieve this. You can check out the installation guide in the article we prepared covering the tool.

If you were trying to set up this kind of scan to your nodes that are on-premise, Wazuh is a solid option that will log every event and verify them against multiple CVE (Common Vulnerabilities and Exposure) databases. We covered Wazuh in this blog post in more detail.

Container Registry Security

Container registries provide a convenient and centralized way to store and distribute images. It is common to find organizations storing thousands of images in their registries. Since the registry is so important to the way a containerized environment works, it must be well protected. Therefore, investing time to monitor and prevent unauthorized access to your container registry is something you should consider.

If you are looking for the container registry that will fit the best with your environment, check out our comparison guide of some of the top container registries available in the market:

Kubernetes Clusters Security

Another action you can take is to re-enforce security around your container orchestration such as preventing risks from over-privileged accounts or attacks over the network. Following the least-privileged access model, protecting pod-to-pod communications would limit the damage done by an attack. A tool that we would recommend in this case is Kube Hunter, which acts as a penetration testing tool. As such, it allows you to run a variety of tests on your Kubernetes cluster so you can start taking steps to improve security around it.

You may also be interested in Kubescape, which is similar to Kube Hunter, it scans your Kubernetes cluster, YAML files, and HELM Charts to provide you with a risk score:

Image of Kubescape Container Security Risk Score Dashboard

Secrets Security

A container or Dockerfile should not contain any secrets. (certificate, passwords, tokens, API Keys, etc.) and still, we often see secrets hard-coded into the source code, images, or build process. Choosing a secret management solution will allow you to store secrets in a secure centralized vault.

‍

Conclusion

These are some of the proactive security measures you may take to protect your containerized environments. This is vital because Docker has only been around for a short period, which means its built-in management and security capabilities are still in their infancy. Thankfully, the good news is that achieving decent security in a containerized environment can be easily done with multiple tools available such as the ones we listed in the article.

Blog