In this presentation, we talk about:
- Introduction to Containers
- Container Security Overview
You can watch the complete session here:
https://youtu.be/w2-NtdAkrOI?t=1901
5. Qualys, Inc. Confidential Presentation. Internal
Only.
5
Containers are changing the IT landscape
Source: Datadog Dockers hosts run an average of 7 containers, 25% of companies run 14+ containers
6. Qualys, Inc. Confidential Presentation. Internal
Only.
6
Why Containers
• Less overhead
• Run Anywhere
• Isolation
• More consistent operation
• Greater efficiency
08 आगसट 2019
7. Qualys, Inc. Confidential Presentation. Internal
Only.
7
What are Containers?
Logical packaging mechanism for your
Applications
A methodology that decouples applications
from operating systems
Containers are often compared with virtual
machines but containers offer a far more
lightweight unit for developers and IT Ops
teams to work with, carrying a myriad of
benefits
Host Operating System
Hypervisor
Guest
OS
Guest
OS
Guest
OS
Infrastructure
Bins/Lib
s
Bins/Lib
s
Bins/Lib
s
App 1 App 2 App 3
Host Operating System
Docker Engine
Infrastructure
Bins/Lib
s
Bins/Lib
s
Bins/Lib
s
App 1 App 2 App 3
9. Qualys, Inc. Confidential Presentation. Internal
Only.
9
On Virtual Machines
Container Deployment Models
9
Docker Engine
Libraries
App
D
App
E
App
F
Linux
Docker Engine
Libraries
App
A
App
B
App
C
Linux
Server
Host Operating System
VM Hypervisor
Virtual Machine Virtual Machine
On Bare Metal Server
App
D
App
E
App
F
App
A
App
B
App
C
Server
Host Operating System
Docker Engine
Libraries
11. Qualys, Inc. Confidential Presentation. Internal
Only.
11
Container Components & Lifecycle
AWS EC2 Instance
Docker Engine
Image
#Apace Image
FROM Ubuntu:12.04
RUN apt-get update
RUN apt-get install –y
apache2
ENV APACHE
RUN_USER www-dat.
Docker File Image Registry Containers
AWS ECS
Elastic Container Service
myApache:2.2:Latest
On
Premises
Public
Clouds
Host / VM
Docker Engine
08 आगसट 2019 11
12. Qualys, Inc. Confidential Presentation. Internal
Only.
12
Container Security
Challenge, Threats and Goals
13. Qualys, Inc. Confidential Presentation. Internal
Only.
13
Containers Bring Unique Security Challenges
Unlike traditional environments
08 आगसट 2019 13
Deployed in hyperscale (large scale x ‘n’ microservice per application)
Open development practices (docker pull centos:latest)
Network communications are also host independent, with container-to-container
communication. Traditional HIDS&HIPS doesn’t work
Deployments are highly elastic and can be extremely ephemeral
No patching – Update source definition and swap out
14. Qualys, Inc. Confidential Presentation. Internal
Only.
14
Container Risks/Threats
Impacts security program
1. Un-validated external software
2. Non-standard configurations
3. Lack of deployment hygiene
4. Unmonitored Container to Container communication
(East – West traffic)
5. Untracked ephemeral instances
6. Unauthorized access (lack of proper governance)
08 आगसट 2019 14
Vulnerability Mgmt.
Compliance
Container Firewall (Layer 3)
GRC
Asset Mgmt. + GRC
16. Qualys, Inc. Confidential Presentation. Internal
Only.
16
• Deploy static binary code analysis for any custom code components as they
are integrated into the build
• Detect vulnerabilities and harden images in the automated build pipeline
process using image scanning solutions
• Set up private image repositories
Container Threat Vector - 1
Un-validated external software
08/08/2019
17. Qualys, Inc. Confidential Presentation. Internal
Only.
17
• Run CIS standard compliance checks for Docker environments
• Upgrade Docker engine to latest version possible to avoid known security
vulnerabilities
• Only allow approved Host OS’s by creating Gold Builds which are pre-
hardened with up-front compliance checks
Container Threat Vector - 2
Non-standard configurations
08/08/2019
18. Qualys, Inc. Confidential Presentation. Internal
Only.
18
• Require Container specific intrusion monitoring tools - that analyze traffic
between Containers
• Utilize updated IDS to detect for anomalies and process them through the
approved SOC exception handling process
• Maintain a whitelist of container actions to allow approved applications and
services, extend the solution to be able to Quarantine/ Block un-approved
containers from spinning up
Container Threat Vector – 3
Container to Container traffic
08/08/2019
19. Qualys, Inc. Confidential Presentation. Internal
Only.
19
• Containers’ average lifetimes are much shorter than Virtual Machines (few
hours/days vs. weeks/months/years)
• Deploy tools to track events on Docker hosts
• Collect and review container, parent image and orchestration tool
information like Kubernetes, Mesos
• Effective Incident Response requires this data for reviewing past activity,
identifying who did what and setting up forensic actions
Container Threat Vector – 4
Untracked ephemeral instances
08/08/2019
20. Qualys, Inc. Confidential Presentation. Internal
Only.
20
• Restrict access to public code repositories and re-direct available source
libraries to private registries with pre-trusted images
• Validate trust when pulling down new images
• Segment users to specific environments and libraries with RBAC
• Deploy Container specific IPS solutions to monitor behavior in staging
environments and populate a white list to pass to IDS
Container Threat Vector – 5
Unauthorized access
08/08/2019
21. Qualys, Inc. Confidential Presentation. Internal
Only.
21
Container Security Goals “101”
Discovery & tracking across scale and sprawl
Effective vulnerability management, compliance and container-native
intrusion detection, prevention and firewall program
Adaptive security that integrates into modern practices and platforms
(DevSecOps)
Update Operational Monitoring, Patching and Incident Response
08 आगसट 2019 21