It’s Friday night and you’ve just finished dinner. You ordered in because it was a long week. So, you take your leftovers that you’re planning on stretching into lunch tomorrow and place it in something like Tupperware or Pyrex and put it in the fridge.
Without getting existential, you did this for a few reasons:
- You want to eat that food again
- You want the food to be stored safely
- You want to easily transfer the food to another environment when you decide to consume it
What Is Containerization?
The concept of containerization in regard to cloud computing is not much different than the food example. Containers are used to isolate and maintain an application. Everything that the application needs to run is placed inside that container. Once it’s contained, you can pick it up and move it around regardless of the host operating system.
Not only does portability go up, but deployment can now be accelerated, less human resources will be used in the process, and you’ve created a segment in your cloud environment that should increase your security.
To continue the analogy, your food is ready to go regardless of how you reheat it or how you plate it.
Containerization and Cybersecurity
While containers should help increase your security profile, that doesn’t mean it doesn’t need any extra attention. Cybersecurity isn’t just the garnish on the container, it’s an essential ingredient.
The challenge here lies in the fact that you’ve just removed your host from the container, and the host is usually where most of the security is concentrated. Firewalls, antivirus and other software designed to detect malicious threats are typically designed for a host. Concentrating your cybersecurity efforts on the host makes sense in a virtual machine environment since the hypervisor is sitting on top of the host operating system and controlling the resources of the apps layered on top.
So, what should your security posture be with your containers?
A good way to approach your new container is to think of it as an endpoint. And endpoints are always the starting point for malicious attacks. The same type of threat detection and response methodology you use to monitor endpoints should be applied to containers.
What is going in? What is going out?
Gaining visibility on the container is key. Currently, the most common container solution is Docker, and this can be paired with Kubernetes or other solutions to build repository frameworks and enhanced visibility to the images. Moving to containers will require a different set of specific tools or time-intensive custom builds, and a commitment to monitoring your containers with new tools is essential. These monitoring tools should not only look at the individual containers but the container engine itself.
Penetration Testing of Containers
But before we even get to implementing a container-specific security solution, we need to handle containers similar to anything else on the network and run a thorough vulnerability scan. While the concept of a container is designed to be extremely resilient and safe, that doesn’t mean a container will be 100% safe from a threat.
For example, while the container may not have a public-facing IP address, the application within may have APIs required for it to function properly. Those APIs can be a weak point that a vulnerability scan could identify. Scans need to be acted on, and remediation should take place.
In addition, continue your regular security patching practice – patches for anything that resides in the container need to be installed with discipline to avoid security leaks over time.
Penetration testing, or pen testing, should be another step once action has been taken from the results of the vulnerability scan. A solid pen tester will specifically ask about the presence of containers on the network and seek to understand how they communicate with one another in an attempt to find weak points. The resources that supply the containers and container daemons need to be thoroughly tested as well.
By following these practices, if a container is compromised, it would ideally be contained within the container environment. But your forensic investigations may be limited as you attempt to remediate: many container best practices involve refreshing the application and/or relaunching it in intervals. This means some of your remediation practices may not be available for inspection even though you have identified a recurring threat. And this all serves to reinforce that containerization is still a relatively newer framework: standards and best practices are evolving as each week passes.
Containerization benefits development teams and enables companies to move to edge compute models with speed, resiliency and efficiency. But expectations need to be set with the executive suite that cybersecurity needs to be a paramount concern as the infrastructure moves to a container model.
CompTIA PenTest+ covers the skills needed for containerization. Download the exam objectives for free to see how it’s covered in the certification.
