Estimated reading time: 2 minutes, 41 seconds

Challenges of Securing Containers in the Cloud Featured

Challenges of Securing Containers in the Cloud "Shipping containers in Copenhagen

Containers are standard units of software that consolidate everything necessary to run an application into a single, standalone entity. A container encapsulates the code, runtime, system tools, libraries, and settings necessary to run an application. Using containers enhances portability and facilitates a program’s journey through its development and implementation cycles. 

Popular container platforms like Docker and Kubernetes are widely used in cloud computing. Containers offer customers many advantages in portability, application isolation, and separation of team responsibilities. Using containers contributes to agile development and more efficient operations.  

While the benefits afforded by employing containers are substantial, they can be difficult to keep secure. The beneficial characteristics of using containers, such as faster development to meet evolving market demands, have to be balanced with viable security measures. 

Following are a few of the challenges associated with securing containers in cloud environments and some best practices to help minimize their potential risks. 

Insecure or poisoned images

Images are the building blocks used to construct containers. These images can be built by in-house developers or downloaded from a third party. Even when your developers are building their images, they usually rely on a third-party base image as their foundation. This fact opens the door to using potentially tainted or malicious images. 

Precautions can be taken to minimize the possibility that the images used to build a container are corrupted or insecure. A security operations (SecOps) team needs to institute policies that include: 

  • Identifying trusted sources for images and libraries;
  • Performing checks to ensure only authentic images from valid sources are being used in the development pipeline. 

Containers running with excessive privileges

Excessive privileges present a security problem throughout the information technology (IT) world. Containers are no different in this respect and provide multiple attack surfaces for hackers. Gaining control of a highly privileged container enables malicious actors to wreak havoc on a computing environment.  

To avoid this issue, don’t run containers with a privileged flag which essentially gives the entity access to the root capabilities of the host. This means a compromised container can do just about anything. A better strategy is to use more fine-grained privileges and capabilities that do not pose the same danger if misused. The time spent tuning privileges will be handsomely repaid by less powerful containers that don’t put your environment at risk. 

Hardening the container environment

Hardening the host, images, and container daemon all contribute to reducing runtime risks. This includes taking measures such as eliminating an attack surface by removing noncritical native functionality from the host. Permissions for critical system directories need to be carefully reviewed so only necessary privileges are granted to processes inside containers. 

Benchmarks containing hardening guidelines for Docker environments have been published by the Center for Internet Security. These standards offer an excellent baseline for improving the security of an enterprise’s container environment.  

The benefits afforded by containers are too valuable to be ignored. Using them effectively and safely requires a dedicated security mindset that takes the complete environment into account. Vigilant security will minimize the risks inherent in containers and enable organizations to take advantage of their flexibility and portability.

 

Read 2256 times
Rate this item
(0 votes)
 Robert Agar

I am a freelance writer who graduated from Pace University in New York with a Computer Science degree in 1992. Over the course of a long IT career I have worked for a number of large service providers in a variety of roles revolving around data storage and protection. I currently reside in northeastern Pennsylvania where I write from my home office.

Visit other PMG Sites: