Container Security Best Practices

November 11, 2021 | By IANS Faculty

Good container security requires building a great partnership with IT operations, developers and security. This allows you to review the container environment and address security needs with design, deployment and visibility in mind. 

You must also be sure to track metrics and document expectations before pushing out mandates, and engineers must receive the necessary training to ease the transition to the new process. This piece explains how to establish effective governance over containers, including some top strategies and container security tools to consider. 

Effective Container Security

The increasing push for faster development cycles has changed the way modern development teams focus on the build and release process, moving more toward an iterative and adaptive development methodology. While there can be several positive outcomes in switching to these methods, some organizations find it challenging to integrate security standards into them, especially since those standards were designed around alternate, outdated methodologies, like the waterfall approach and traditional server stacks. 

There is a common misconception that DevOps eliminates steps in the process. Instead, it is a way to introduce automation and gain optimizations, while keeping security and proper change control in place. Following this three-step container security best practice blueprint will help get you there. 

1. Understand the Architecture/Design 

First, you need to clearly understand how the environment is deployed and who is managing which components. For example, the main features of Kubernetes (e.g., control plane, data planes and compute resources) can be deployed and managed by the organization, handled as part of a cloud provider’s service – e.g., Amazon Elastic Kubernetes Service (EKS), Google Kubernetes Engine (GKE), Azure Kubernetes Service (AKS) – or a combination of both. To govern effectively, you need to understand a clear path of responsibility for the various entities involved and deploy an effective measurement to each. Beyond that, best practice architecture incorporates: 

  • Communications security: Generally, all transmission connections should be moving toward encryption of all endpoints. These include administration connections, data that contains any sensitive or authentication data and even inter-connected services. You can deploy a service mesh to help with the security and visibility of communications between applications. Examples include Istio, Consul, Envoy and Linkerd. However, this likely impacts the architecture of the applications, which would have to incorporate the new communication design. 
  • Security context. Use namespaces to create logical administrative boundaries between resources. This helps with a couple of points: 
    • It allows large administrative teams to logically separate responsibilities. 
    • It helps lower exposure if there is a compromise to a container. 

Also, settings like runAsNonRoot, readOnlyRootFilesystem and seLinux allow you to minimize runtime permissions to the application. This largely depends on the applications and services you are running and what permissions they need, but if implemented, they can provide added enforcement on appropriate application roles. 

  • Network segmentation. Network policies are another security enhancement. Network policies allow you to implement firewall functionality around your pods by limiting IPs and ports to necessary services. They also can enforce proper service interaction between your pods. Other options in this are open-source projects, such as Calico.

2. Secure the Deployment 

Harden the Containers 

When it comes to configuring pod security, the first item on the list is reducing pod functionality to only what is necessary for the service running on the pod. Once you configure your system types and configurations, make sure they comply with a documented standard, including taking recommendations from reputable vendors or industry groups. The Center for Internet Security (CIS) is an excellent example of this, and it has documentation directly applicable to Kubernetes. 

Implement Strong Release/Change Management 

You should implement a solid foundation of proper change control for your repositories, including both your code and container private repositories. This includes appropriate control of versioning, branching methodology and change ticket tracking. All this should also be tied together with build, testing and release functions, as well as peer review/approvals. And ideally, all these functions should be linked together under a single view, using tools like Jira, GitHub, Jenkins, CircleCI, etc., to support transparency and full audit capabilities. This will help with your compliance activities to show a proper flow throughout your entire process. 

Establish Peer Reviews

There is no substitute for a substantive review from someone knowledgeable about the organization's baseline standard. This would include reviewing to ensure common baseline techniques are implemented, common security pitfalls are avoided, and good practices around readability and error reporting and handling are applied. There can be some automation around this to check or enforce across the board, but the most effective is a manual review of changes with someone familiar with the organization's standard. Usually this would come down to a peer or manager reviewing the changes, however, security may have input on new or material changes to the environment. 

Use Linters

While deploying images to your various environments, you can employ static checks to ensure the configurations align with your typical security posture. Several open-source and commercial tools are available to select, depending on the container technology you choose to deploy. Some examples for Kubernetes are kube-bench, KICS, Snyk, Prisma and Aqua. DevOps engineers can integrate these tools into your deployment pipelines to allow developers and release managers to address issues independently. 

3. Focus on Visibility 

At this point, everything is set up, configured appropriately and deployed to production. Now comes the obligation to ensure the configuration does not drift from the expected security configuration. Additionally, mechanisms to support issue investigation must be set up to provide a rapid response and evaluation of problems once they are discovered. Best practices here include: 

  • Get logging in place. First and foremost, engineers should configure container environments to produce/collect logs and centralize them to a location for monitoring. This would enable support for investigations and can be configured to trigger alerts when security-impacting events are seen. Components that should be logging include audit daemons, scheduling services, API communication, and the controller and data planes services. 
  • Establish policy enforcement. In a runtime environment, a tool called Open Policy Agent (OPA) lets you set up policy enforcement to dictate how containers and various control planes can interact with each other. This allows teams to implement context-aware policy-driven decisions on actions made by Kubernetes. Think of it like a firewall for your container’s actions. 
  • Perform monitoring and response. Once a container reaches the production environment, you still need a strategy for reviewing all unusual or suspicious events. Taking the logs collected previously and looking at them with a combination of techniques, both event-driven and behavioral, can alert a monitoring staff to suspicious events that must investigated. 

Additionally, organizations can install monitoring capabilities on the deployed containers. A popular open-source tool for this is Falco, an intrusion prevention tool most notably for a Kubernetes environment.

 

READ:  Shift Left Roadmap Best Practices

 

Container Security Tips

While there is a need to focus on automation of security tasks within the DevOps methodology, this can be achieved by planning and enforcing the release process and proper configuration management. In the end, DevOps can achieve even better alignment with security goals, because container environments can implement security checks in an automated fashion that does not let code promote to the next stage without remediation tasks happening. To ensure your container environment remains secure: 

  • Partner with DevOps: Approach this initiative with a helping hand. You will gain trust, and the program will be more sustainable. 
  • Incorporate security by design: Carefully plan and implement security considerations, both in the architecture of the solution and deployment. 
  • Always be monitoring: Develop an always-on process for collecting and reviewing suspicious and anomalous issues. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice. 


Find additional resources from our security practitioners.


2021 CISO Compensation Benchmark Report