August 22, 2017

Four best practices to secure your containers

Timo Ahomäki

Head of Portfolio Development, Tieto Security Services

An attack against an improperly maintained container environment could have serious consequences. What can we do to mitigate the risks and secure our containers?

In our last blog posting, we discussed some security issues present in container technology, which is the foundation for running modern applications. Now, let’s look at the best practices to secure containers in production.

The big challenge in complex container environments is to bake cyber security into every container across all applications. More than ever, building security as an add-on layer will not work.

Here are four tips to tackle the challenge:

1. Automate and centralize container management. The key to securing the environment is to take a systematic approach from the start. A centralized container repository and management system ensures that only properly hardened containers from reliable sources find their way into the end product.

2. Harden your containers and the host OS against a well-known benchmark. Depending on the intended use of the end product, you may want to take one of different approaches to hardening the host and container images. In one extreme, all container images are run as immutable entities, in read-only mode. While bringing clear security advantages, this approach introduces complexity in terms of log management, database access, etc. In the other end, where a writable file system is a must, e.g. Docker provides facilities for auditing and rollbacks of unauthorised changes.

One good resource for container hardening is the Center for Internet Security (CIS) Docker hardening benchmark. Following the lines of virtual machine hardening rules, this 200 page behemoth gives a complete picture on the state of the art in Docker hardening. For those looking for a more practical, hands on tool, Docker Bench Security is a script package validating a Docker configuration against the CIS hardening guidelines.

Limit privileges and isolate

After hardening, it is time to ensure that any breach of an individual container cannot escalate to a system-wide emergency.

3. Pay attention to container isolation and good networking hygiene. The first step must be to ensure no container is allowed to run as root. An accepted best practice is to require each container to run as a separate, unprivileged user. This makes it more difficult for an attacker to hop laterally from one container to another, and avoids compromise of the host OS root access in case of an escape. However, it also underlines the need for central container management in order to control the sprawl of user credentials.

To limit the possibility for a DoS event in case of a breach, inter-container communication should be limited by default. In many ways, the best practices in this area are similar to those related to microsegmentation of networks in the data center level. Naturally, CPU and RAM usage limits should be configured for each container, as well as thread and process limits in the host OS. These limits are useful not only to control damage in case of a breach, but also in case of a runaway container due to a programming or configuration error.

A final level of isolation is following proper microservice patterns, for example ensuring each container only runs a single task or service. This makes the containers simpler to manage and greatly reduces the attack surface.

4. Monitor container behaviour for anomalies. Despite all the above initiatives, it is still possible for a container to get compromised. Because of this, we need a capability to discover any anomalies at an early stage. There are many solutions available for detecting configuration policy violations, anomalous behavior and unwanted communication patterns in the container environment, both from leading container system vendors and 3rd parties. Whichever solution is chosen it is imperative to ensure the findings are always processed by a competent Security Operations Center in order to provide a quick response to a possible breach event.

As a whole, securing containers is not a Herculean task. Once you create clear security rules and follow them systematically, you limit the risks significantly without adding too much extra complexity to the environment.

Do you want to know more about security in the complex ICT era? Download our white paper about visible cyber security.

Stay up-to-date

Get all the latest blogs sent you now!