How to Lock Down Container Security

As you migrate workloads to the public cloud, and adopt new technologies such as containers, make sure you’ve got the visibility and expanded security posture you need.

You’re likely familiar with all the reasons supporting a move to containers. Because they share a single operating system (OS) kernel, they’re lightweight, quick to start, and use little memory. Some of the tantalizing benefits they offer businesses and developers include:

• Platform independence so developers can ‘build it once, run it anywhere’
• Higher app density for more efficient use of hardware and system resources
• Improved app isolation via the container host
• Improved developer productivity and continuous integration and continuous delivery (CICD) pipeline integration
• Rapid and smooth scaling with simple orchestration

Terrific stuff. But containers as a class can unfortunately introduce some security deficits. Keep in mind that while containers can bring some IT value, they do not offer comprehensive security. Many of the specific challenges result from the way containers function, and where and how they are used. Here are containers’ top security issues and the available fixes we recommend.

Lateral Movement of Threats

Cyber attackers often use lateral movement to spread through a network. Containers, unlike VMs, share hardware and OS resources with other services running on that hardware. This expands the attack surface to include the host OS, making lateral movement attacks possible. The fix is to choose container security that monitors network communications and uses policy-based controls that permit only approved network connections.

Unrestricted Access

A single application bug can give attackers a way to compromise containers and hijack their permissions, enabling attackers to gain access to critical system files in the management framework, the host, and other containers. It’s up to security managers to roll out container security that monitors file integrity and then provides real-time alerts when critical files inside containers, or on the host, are accessed or changed.

Containers Integrated into Heterogenous Environments

Because of their flexibility, containers can be implemented across public and private clouds, and even on bare metal servers next to VMs. All of it needs to be secured. My advice is to make sure that your container security is set up to protect containers with complete, integrated pipeline, runtime, and storage security—wherever they are used across heterogeneous hybrid cloud environments.

Infection Through Shared Storage

Containerized applications and services often share storage, such as Amazon Simple Storage Service (S3) buckets, with other containerized or traditional applications. Keep in mind, however, that shared storage can become infected and further spread malware and threats, such as ransomware and bots, to other apps and services. You can reduce your risk by incorporating container security that scans for malware in files and objects in S3 buckets, keeping storage clean and preventing threats from spreading to other applications and services.

Lack of Visibility into Security Events

Because containers appear as servers, there are no security event trails for security analysts to follow when conducting forensic investigations. This is where your infrastructure must be equipped to enable administrators and security operations personnel with visibility into security events, along with alerting and logging for analysis and forensics investigations.

How Symantec Can Help

Containers clearly offer huge advantages compared to virtual machines, so it’s no surprise they are hitting the big time. We’re excited about the container revolution too. But before you go all in, it’s essential you cover the security bases.

Symantec Cloud Workload Protection Suite ensures you can safely adopt containers and cloud IaaS platforms with strong protection for workloads and storage. Cloud Workload Protection discovers and secures workloads and containers across Amazon Web Services, Microsoft Azure, and Google Cloud Platform, plus private cloud and on-premises environments. Cloud Workload Protection for Storage scans Amazon S3 storage for malware and threats. DevOps takes advantage of cloud-native integration to build security into CICD pipelines, while a single console unifies visibility, security policy, and vulnerability reporting. Cloud Workload Protection mitigates container security risks, so you get the full benefit of the business agility and operational efficiencies they offer.

If you found this information useful, you may also enjoy:

• Symantec Cloud Workload Protection