Ensure the Security of the Control PlaneLimit access to two administrative accounts, one with responsibility for operating and orchestrating containers and the other for system administration. Network, physical and logical segregation should also be implemented for on-premise and cloud/virtual systems.
Resource Usage AnalysisAny external resource usage could serve as a potential attack point. It’s therefore good hygiene to limit these ingress and egress points using third-party tools that can monitor runtime access to environment resources inside and outside the container.
Selecting the Right ImageCreate a trusted image repository and ensure that the production environment can pull containers from trusted sources only. Organizations should also look to procure a solution that’s capable of checking application signatures and rejecting containers that are not properly signed.
Immutable ImagesOne of the easiest ways that organizations can prevent attackers from manipulating their runtime containers in real time is by disallowing SSH connections. They should also keep track of changes and/or version control.
Time to LiveIt’s possible that a container could be susceptible to a new vulnerability if it’s been live for weeks or months. Organizations should, therefore, limit container lifetimes to a couple hours or days at most, to update the image and to replace running containers using the old image.
Input ValidationThis is a no-brainer. Organizations need to validate the suitability and policy compliance of all input data either manually or using a security tool. They should also verify that each container receives the correct user and group ID.
Platform SecurityA lot of container runtime security recommendations focus on securing the hypervisor and underlying operating system. But container runtime security should encompass more than that. It should also address platform security by keeping the following advice in mind:
Host OS/Kernel HardeningOrganizations can protect a host operating system from attacks and misuse by choosing a hardened variant of the OS. They can then use a baseline configuration to remove unnecessary features. Enterprises would also be wise to set user authentication and access roles along with permissions for binary access.
Resource Isolation and AllocationA critical element of container security is limiting container access to underlying OS resources. Organizations can do this by making sure container privileges are assigned a role and that containers don’t run as the host OS root user. They can then use a resource isolation model that employs namespaces and cgroups.
Segregate WorkloadsIt’s recommended that organizations isolate container engine/OS groups and their containers at the network level. They should also use only a limited number of containers per VM, grouping them by trust level/workload or assigning them to a dedicated cloud VPC.
Orchestration Manager SecurityContainer runtime security must also account for containers within a specific orchestration manager framework. Oftentimes, container managers need tuning in order to be secure. Here’s some guidance towards that end:
- Limit who can access admin features
- Segregate development and production resources
- Set network security policies to “default deny” inbound connections
- Limit services and users that can access metadata
- Ensure requesting parties are authorized
- Quickly patch and replace vulnerable cluster services and containers
- Collect logs from all containers and nodes
- Use security checkers and benchmarks like the CIS Critical Security Controls
There’s More Where That Came From…Want more advice on how to strengthen your organization’s container runtime security? Download The Complete Guide to Container Security today. Also, join us for a live webinar on September 27, where we will walk you through essential tips on container assessments and streamlined DevOps security. You’ll also get a quick introduction to Tripwire for DevOps, the SaaS tool that automates DevOps security with dynamic container analysis right inside your Jenkins dashboard. Attendees will hear expert advice on:
- DevOps best practices for quickly resolving security issues
- Security analysis for source code and web application tools
- Avoiding misconfigurations without stalling the CI/CD pipeline