Misconfigured Containers Open Security Gaps

One of the biggest cloud security threats facing enterprises today is the problem of improperly configured containers, according to experts such as Mike Sprunger, senior manager of cloud and network security at Fortune 500 technology provider Insight Enterprises.

Sprunger noted in an interview that despite warnings to the contrary, many IT teams still fail to limit access to containerized applications, effectively opening access to anyone, including invaders and attackers. Containers are frequently deployed with the default security configurations, which don’t provide enough protection for enterprise security, he observed.

Complicating the problem is that many enterprises don’t use the identity and access management policies that are now available to control access to containerized applications. “Default security configurations are similar to owning a rowboat with a screen door in the bottom,” Sprunger quipped.

The knowledge gap surrounding security risks and the blunders it causes are, Beyond basic security

Ensuring that container environments conform to enterprise security requirements is the cloud service customer’s responsibility — not the service provider. “There are best practices for container security, such as those outlined in NIST Special Publication 800-190, which provide a good jumping off point for container configurations, but specific measures should be aligned with application requirements,” Sprunger said.

While most container environments meet basic security requirements, they can also be more tightly secured. It’s important to sign your images, suggested Richard Henderson, head of global threat intelligence for security technology provider Lastline. “You should double-check that nothing is running at the root level.”

Unlike traditional, monolithic applications, the orchestrated microservices applications that are typical of containerized environments require security to be built into the entire development and delivery process. “Because of the complexity of the runtime stack, it’s impossible to apply security as an afterthought, or rely on network-based and host-based models,” Jerbi said. “The ability to automate security into the CI/CD pipeline is crucial for effective security and to prevent regrettable incidents.”

Limiting access

Staff should only have access to the applications they actually handle, Jerbi noted. “Additionally, user privilege should be limited and segmented

Identity authentication is important everywhere, but it’s not a silver bullet, Henderson warned. “Credential theft and misuse continues to be an ongoing problem.” Henderson urged managers to ask themselves if they could tell whether someone was using stolen credentials to access their containerized applications or data. “If the answer is no, you may need to think of additional security controls to plug that gap,” he suggested.

Least privilege is, as always, a critical security concept. Identity and access management (IAM) systems, upstream of all applications, should be deployed to ensure that only authenticated users, including administrators and developers, are taking authorized actions. “All access … needs to be authorized and logged,” stressed Miles Ward, CTO at cloud technology services provider SADA.

IAM shouldn’t be seen as an additional burden, increasing the deployment complexity of cloud applications, Hahad said. “Instead, it should be viewed as an extension to data center or private cloud IAM, where consistent corporate policies are applied everywhere.”

Takeaway

Always remember that containers, while a boon to many developers and IT organizations, are just as susceptible to bugs and vulnerabilities as any other technology tool or platform, Henderson warned. “Keeping that in mind, it means we have to keep our eyes open for threats targeting the underlying products we’re using and make patching a critical imperative,” he added. “Attackers waste no time exploiting issues that are disclosed.”