Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Understanding container security


Published on

Slides for a container security overview webinar I did for the Linux Foundation in the fall of 2016.

Published in: Technology
  • Be the first to comment

Understanding container security

  1. 1. Understanding Container Security
  2. 2. Overview • A Brief History and Overview of Containers • Security Benefits of Containers • Container Vulnerability Management • Responding to Container Attacks
  3. 3. Survey – How familiar are you with containers? • I open them every day – gotta eat to survive • I read about them on TechCrunch • I run them on my raspi at home • We run our production workloads in containers • I contribute code to open source container-related projects
  4. 4. Brief History of Containers
  5. 5. Containers are not new, but…
  6. 6. Container History Timeline Unix V7 FreeBSD Jails Solaris Zones OpenVZ Process Containers cgroups AIX WPARs LXC LMCTFY Docker 1979 2000 2004 2005 2006 2007 2008 2013
  7. 7. How Are Organizations Using Containers?
  8. 8. Container Tech is Being Adopted Quickly
  9. 9. Source: ClusterHQ Container Security : Top # 3 Container Adoption Challenges
  10. 10. Containers in the Future • Phones • IOT • Maybe cars?
  11. 11. Survey – what container platform do you use? • Docker • LXC • LXD • rkt • Solaris/SmartOS based • Unikernel/microkernel or similar • Why didn’t you list my platform? Everyone uses it!
  12. 12. Brief Overview of Container Orchestration
  13. 13. Why Orchestration? • For “real” workloads: • How to launch 500 containers across 20 hosts? • Being aware of resources on each host • Getting storage and networking to right container on the right host • Distribution for speed, efficiency, cost, etc. • As part of a CI/CD process • How to do a rolling update of those 500 live containers to a new sw version?
  14. 14. Lots to Orchestrate Customer VM VM Image Management Networking Customer VM Local Storage NAS/SAN
  15. 15. Lots to Orchestrate Customer VM VM Image Management Networking Customer VM Local Storage NAS/SAN Containers Container Image mgmt Container networking Container storage Host Host Image Mgmt Host Networking Local Storage NAS/SAN
  16. 16. Lots to Orchestrate Containers Container Image mgmt Container networking Container storage Host Host Image Mgmt Host Networking Local Storage NAS/SAN • Swarm networking • Weave networking • Project Calico networking • CoreOS Flannel networking • Flocker storage • Gluster storage • CoreOS Torus storage • … • ... We haven’t talked security, yet.
  17. 17. Survey – How Familiar Are You With Information Security? • It’s common for me to get viruses and ransomware • I’m paid to write code by a deadline • I learned my lesson the first time and now try my best • Due to unspecified agreements I cannot answer this question
  18. 18. Security Benefits of Containers and Microservices • Smaller surface area* • Shorter lifespan* – shorter period when open to attack • More automated process – easier to recreate/redeploy* *(in theory)
  19. 19. Security Benefits of Containers and Microservices • Containerized apps lend themselves to ”12 factor” design
  20. 20. Security Disadvantages of Containers and Microservices • Relatively new technology • Lots of moving parts • Shorter lifespan – this makes investigations more difficult
  21. 21. Container Security Adoption
  22. 22. Survey – What’s your biggest container security concern? • Image security • Host security • Vulnerability management • Container isolation
  23. 23. Results of Twitter Survey
  24. 24. Image Security • Where did an image come from? • Is it an official image? • Is it the right version? • Has somebody modified it?
  25. 25. Image Security • Docker Content Trust export DOCKER_CONTENT_TRUST=1 • CoreOS image signing and verification pgp based
  26. 26. Host Security • Follow standard hardening processes (Bastille, Center for Internet Security, etc.) but only firewall host, not it’s containers • A host itself shouldn’t be “exposed” – there should be no public attack surface. Administer via known private network • One nasty exposure – privileged containers.
  27. 27. Vulnerability Management in a Container World
  28. 28. Managing Security Exposure in Containers
  29. 29. Smaller Image, Less Vulnerabilities • Avoid ”From:Debian” and similar • Software can’t be vulnerable if it’s not installed. An amazingly large percentage of public Docker images are based on Debian, Ubuntu, or CentOS.
  30. 30. Why? Least Privilege • We want the smallest image possible, when we load it across 100 hosts • The smaller the image, the less exposure for potential vulnerabilities • If the parent image has a vulnerability, everybody based on that parent has to re-spin their image
  31. 31. Container Vulnerability Scanners • Open Source: • OpenSCAP • CoreOS Clair • Anchore • Commercial: • Why go with commercial? Might be easier, packaged.
  32. 32. Vulnerability Triage • Developers are being exposed to the secops work of vulnerability/patch management
  33. 33. Understand CVSSv2
  34. 34. Understand CVSS Calculator
  35. 35. Container Isolation
  36. 36. Why Isolate? • Only as secure as your weakest link • What happens if other departments are running in your private cloud? • What happens if other customers are running in your bare metal CaaS?
  37. 37. Capabilities Worst to best: • Run with --privileged=true • Run with –cap-add ALL • Run with --cap-drop ALL --cap-add <only needed> • Run as non-root user, unprivileged Useful: capabilities section of
  38. 38. Seccomp We need to build a list of system calls called by the program… …that we want to succeed • Guess (preferably educated) • RTFM (thanks John!) • Capture behavior – maybe /usr/sbin/strace • Disassembly?
  39. 39. Plan For Container Attacks • Before going to production, think about how you’d investigate an attack • Containers are mostly ephemeral • Collect logs at a central location (ELK, Loggly, etc.) • Practice identifying and snapshotting problem containers • Don’t forget about data backup/recovery
  40. 40. Layered Insight Ozone Comprehensive container-native security Deep visibility and fine-grained control Automatic behavioral templates Machine learning based anomaly detection
  41. 41. Layered Insight Ozone Inside-Out Approach Workload Portability No Special Privileges (Userspace) Zero Impact to Devs / DevOps Fully Automatic LI Instrumented Containers Infrastructure Host OS Docker
  42. 42. Thanks – Let’s continue the conversation! @johnlkinsella Slides posted at
  43. 43. Links • • • •
  44. 44. Data Sources • Moments in Container History: Pivotal • Container Adoption behavior: DataDog • Container Adoption challenges: ClusterHQ • Container Security adoption rates: SDX Central • Layered container image: Ubuntu Data and some graphics provided by: