Risk awareness, classic cyber security principles and specific countermeasures increase the security of data and processes. IT managers use their own container security or those provided by cloud service providers in order to set up agile and flexible applications and operate processes.
Ultimately, however, containers are also executable applications and can be dangerous. Container host servers and registries extend the attack surface. Classic principles of IT security and an increased sensitivity to threats help to close emerging gaps.
Containers in the cloud or on-premise
Containers - whether kept privately or provided via a cloud provider - offer hackers four attack surfaces:
• the registry from which a user obtains the images for the container;
• the container runtime;
• the container host; such as
• the level of the container orchestration.
Attackers get to these four security focal points in a variety of ways. Ultimately, they can start the necessary sideways movements from any end point in the target network. The attackers are then able to compromise the registry, the container host with their images or the clusters with several redundant images or misuse legitimate images for their own purposes. Above all, they want to use resources for their own purposes - e.g. for crypto mining - or sabotage services.
IT security officers should therefore keep an eye on the following areas of IT defense:
Defense scene 1: Check images
Regardless of whether users get their container images from a public cloud or from a private registry - they should be careful. Attackers can attack the registry and use it to offer maliciously manipulated and apparently legitimate images for download.
Remedy: IT managers only have sufficient security if they use checked and updated images from a secure source. In addition, IT managers should only use those services that they really need. Once you've downloaded an image, you should keep it updated and watch out for any security risks.
Defense scene 2: Monitor the container runtime
Access to the runtime of a container gives attackers a wide range of options, and in some cases far-reaching. For example, they access a vulnerability and port it within the company, execute malicious commands or use a legitimate image - for example with an Ubuntu operating system - as a backdoor container. You can also use a container to gain access to a host.
Remedy: A robust protection of the container runtime monitors the processes in a container and in the associated host. Regular image updates ensure continuous security.
Defense scene 3: Protect the container host
If cyber criminals get into the container host environment, all processes controlled from there are within their reach. In addition, weak points in the container server or container runtimes give attackers the opportunity to operate their own containers.
Remedy: Linux distributions that are specially developed for the operation of containers ensure more security. Each host server also needs its own security controls to protect it. Once hosts have been set up, they must be continuously monitored for new vulnerabilities. Risks at the operating system level are largely eliminated if general guidelines for their secure configuration are observed.
Defense scene 4: Risks of container orchestration
Security solutions detect sideways movement of attackers on a Docker host (Image: Bitdefender).
Attackers are also targeting the administration of the container clusters. In principle, this layer gives unauthorized persons direct access to the target resources. If hackers use access data for a Kubernetes cluster in a public cloud, for example, they can manipulate the entire cluster of service providers. With smaller providers, this is a real danger. An exposed orchestration dashboard is a back door to remotely administering clusters without authorization.
Remedy: In order to prevent unauthorized access, role-based access controls and economical allocation of rights to users are recommended. Hosters or IaaS providers should not be able to change anything in the existing containers without the customer's OK. In addition, secure communication between the pods on a Kubernetes cluster shared by various applications increases security.
Risk awareness is key
“Container security begins with awareness of the risks. If you have one, you can use suitable solutions to increase the security of the containers and use their advantages with a better feeling, ”says Cristian Avram, Senior Solution Architect at Bitdefender. “Ultimately, it's about applying classic security rules to containers and the associated IT infrastructures: weak point control, patching, automated security and training everyone involved with guidelines. Zero Trust is recommended as a security mechanism for a technology that, due to its great possibilities, has to be monitored conscientiously and continuously. "
More at Bitdefender.com
About Bitdefender Bitdefender is a leading global provider of cybersecurity solutions and antivirus software, protecting over 500 million systems in more than 150 countries. Since it was founded in 2001, the company's innovations have consistently ensured excellent security products and intelligent protection for devices, networks and cloud services for private customers and companies. As the supplier of choice, Bitdefender technology is found in 38 percent of security solutions deployed around the world and is trusted and recognized by industry experts, manufacturers and customers alike. www.bitdefender.de