Container technology is being increasingly used by organizations as a way to deploy applications and micro-services. The promise of containers is improved agility and portability, while potentially also reducing the attack surface. Though container technology can be helpful for security, it can also have its own set of risks.
In a panel session at the recent Kubecon + CloudNativeCon EU event titled "Modern App Security Requires Containers" -- moderated by eSecurity Planet -- security experts from Cloud Native Computing Foundation (CNCF) project and Google debated what's wrong and what's right with container security.
Understanding Kubernetes and Docker
It's important to first understand the multiple layers and components that make up the container landscape. At the most basic level is the container, which today typically is a Docker container, which is a virtualized application that runs on top of a container runtime engine.
When running more than one container at a time, there is a need for a container orchestration system, which is what Kubernetes provides. Kubernetes is an open-source project that was started at Google four years ago, and is now hosted by the Cloud Native Computing Foundation.
CNCF security projects
While Kubernetes provides the core framework for container orchestration, there are multiple additional CNCF efforts that can help improve Kubernetes in different ways. On the security front among the projects are the Open Policy Agent, Notary (for code signing), The Update Framework (for secure updates), and SPIFFE (the Secure Production Identity Framework).https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
CNCF does not mandate or prescribe a reference architecture for Kubernetes and associated project deployment. However, Justin Cappos, professor in the Computer Science and Engineering department at New York University and leader of the TUF project, said the various projects do tend to communicate with each other.
Torin Sandall, technical lead of the open source Open Policy Agent (OPA) project, said there is a policy working group within the Kubernetes community that is looking at bringing together a lot of the different policies for security resource management.
"Right now, a lot of that information is just written down somewhere and no one knows how to tie it together," Sandall said.
David Lawrence, leader of the security team at Docker Inc., said there are a lot of security companies in the market today, and many different open source projects for security too.
"At some point you have to decide on the right combination of projects, and people will collect around the major ones," Lawrence said. "I think then we'll actually see some of these integrations come together and we'll see more things that are designed to plug in together across the space."
Despite all the CNCF projects for Kubernetes security, Maya Kaczorowski, Product Manager at Google, said there are still a lot of basic security elements that need to be further improved in Kubernetes itself.
"There's a lot of work that still needs to be done from a basic security management perspective as a user," Kaczorowski said. "It's not very usable right now if you're not one of the people sitting in this room who wants to spend the time learning how community security works."
"We can't expect users to just go deploy it and for it to be secured," Kaczorowski, added.
Andrew Jessup, co-founder of Scytale and leader of the SPIFFE project, agreed with Kaczorowski, that basic Kubernetes security, including proper encryption and cluster access control, needs to be put in place by users first.
"Putting better locks on the door doesn't help you if you leave the door open every night," Jessup said. "There's a whole set of basic concerns around Kubernetes hygiene that you probably want to solve, frankly, first before thinking about some of these higher-level projects that add a lot of value, but not on an unsecure framework."
Security by default a goal
One of the missing elements in Kubernetes, according to Docker's Lawrence, is more security by default. Lawrence cited the February 2018 hack of electric automobile vendor Tesla's Kubernetes cluster as an example of why Kubernetes is often insecure by default. In the Tesla hack, a developer deployed a default Kubernetes installation with a TCP port open to the Internet. An attacker was able to then access the cluster and start mining cryptocurrency on it.
"There should be at least a step the user has to take to configure it to be insecure, right?" Lawrence said. "By default, I think today when you go and deploy Kubernetes, you have push-button insecure."
Defense in depth
While Kubernetes might not currently be secure by default, there are a lot of positive things that containers and Kubernetes add to security. Lawrence said containers have reduced the scope of what organizations are trying to control, and that allows organizations to apply a much more tailored defense-in-depth policy.
Containers at the most basic level provide a limited isolation boundary and a high degree of control. Jessup said that in his view, the container industry is now in a much better place to start to have higher-level conversations on how to broadly improve security.
While containers have some security benefits, Kaczorowski emphasized the existing security controls for network and application security still have a role to play too. She said that while containers are different than virtual machines (VMs), there are many ways they are alike too.
"If you have an IPS (intrusion prevention system) for your on-premises environment for your VMs, you'll still need one for your containers," Kaczorowski said. "You still need a firewall; that doesn't go away."
What does change with containers, according to Kaczorowski, are software supply chain issues. In the past, an organization bought a box from a vendor that was certified and backed by a vendor. With container applications, code is being pulled from myriad sources and it's not always clear where everything comes from.
"I think we're gonna have to spend a lot more time as an industry looking at the software supply chain, which is why you see things like TUF and notary, which are helping to secure that aspect, she said.
Coming soon on eSecurity Planet: A comprehensive guide to container security vendors.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.