Container Security from Cloud to Edge

Deeper Dives: Q&A with Scott McGregor, Cloud Security

We recently published a webinar called “Container Security from Cloud to Edge,” providing insights and clarity on how taking a defense-in-depth approach is fundamental to securing a containerized environment, whether in the cloud or at the edge. If you haven’t checked out this webinar, you can find it here.

Below are highlights from the Q&A that Scott McGregor conducted with the webinar attendees:

How would you describe container technology, and what are its benefits?

Containerization refers to packaging up software (an application or service) with all the dependent components, such as libraries and frameworks, together in one entity. This entity is a container. Because all the required pieces are colocated, the container can be moved around and run on any infrastructure. In addition, running applications leveraging container technology allows the container to operate independently of the operating system (OS) that it’s running on.

One of the primary benefits of containerization is portability. In today’s market, companies want to manage development investment by optimizing the development and deployment of applications by leveraging container technology, instead of independent R&D efforts to identify how to deploy applications to various environments — which drives the inevitable churn that comes when you have “incompatible” environments. Containerization helps customers avoid lock-in, whether at the OS level or even higher in the stack at the CSP level. You can have a container running in the cloud, like Amazon, Azure, or Google Cloud, and take that same container and run it in any of those CSPs or even locally on an internal machine. It would be best if you only built it once. Some other benefits that I would highlight would be fast deployments (more lightweight), reduced internal infrastructure cost (multiple containers running on the same hardware), and application isolation (your application operating as if it is the only thing on the system).

What are some of the risks associated with using this technology?

Some of the risks of containerization are directly related to some of the benefits. One significant risk is that when we have multiple containers running on the same host or machine, it may be possible for the communication and actions of the processes running in one container to become aware of those running in another. Along with the traffic and communications, it may also be possible for artifacts such as files to be accessible from other containers. In a smaller, nonsensitive environment, this might not be a big deal. However, when you think about cloud service providers and host environments where multiple customers could share the same hardware, it’s clear that this can be of some concern.

Another primary concern deals with the nature of the containers themselves. Containers utilize reusable images, making them easy to use because you are leveraging vetted images that may already have some of the needed components in place. The issue is that the images can have vulnerabilities like anything else. Hackers can sometimes spoof image repositories, and users may think they are using trusted images, but they are in fact using compromised ones. Not catching these image vulnerabilities early in the design could spread that vulnerability everywhere the container is running. Because the images are static, these vulnerabilities remain in place until they are patched or replaced. Depending on the vulnerable image, if it is not discovered, it could now be part of other images running in various containers on various systems.

What types of security countermeasures would help to mitigate container security risks?

There are multiple sources for security countermeasure best practices; here are two I would recommend: the Center for Internet Security – CIS Benchmarks, and the National Institute of Standards and Technology NIST SP 800-190 Application Container Security Guide.

There are several countermeasures and controls outlined in those documents. I will quickly talk about two broad categories that can be applied to counteract some of the risks discussed previously. The first deals with confidentiality of communication. Earlier, I mentioned how it might be possible for one container to see the traffic and communications from another. We can leverage technologies such as TLS or mTLS with Istio. TLS essentially uses encryption and key management capabilities to ensure that communications can only be read and understood by the intended recipient. So even in cases where traffic is compromised, the traffic would be useless because it would be encrypted. You can also implement network policies that segment network traffic for specific entities.

The other category mainly deals with internal container security controls. These controls affect the underlying container’s allowances, privileges, and behavior. They protect for the case in which a malicious actor gains access to a container, drastically limiting any damage. Some of the more popular settings are the runAsNonRoot (unable to run any root level actions), capabilities (can control specifically what capabilities the container itself can use; a list limited to only critical capabilities helps the overall security posture), and readOnlyRootFilesystem (prevents a malicious actor from tampering with the underlying application or writing malicious executables to disk).

What are some of the software projects that are driving container technology adoption?

Cloud Native Computing Foundation (CNCF):  The CNCF is an open source software foundation that aims to make cloud-native computing more universal, standardized, and accessible. It has defined a model that evaluates projects based on their relative maturity (“sandbox,” “incubating,” or “graduated”).

While there are a bunch of related open source projects, a few that I want to point out are Kubernetes, Prometheus, and Harbor.

Kubernetes: Kubernetes handles container orchestration.

Prometheus: The Prometheus System Monitoring Tool monitors running containers in an environment, providing a more straightforward way to monitor the activities going on in the containers.

Harbor: The Harbor Image Repository provides secure management of container images. As mentioned, this is very important in ensuring the security of the containerized application (it starts with the image).

Please note that numerous open source projects focus on the container security space. Various tools evaluate containers and container images for vulnerabilities and best-practice compliance. I want to highlight one significant project: Open Policy Agent Gatekeeper. It allows users to define various security conditions the containers in their environment must meet. It essentially allows you to put a fence around your system that will not let any containers run in that system if they do not meet the defined policies. Something like this goes a long way toward increasing the security posture of an environment.

How is container technology used for edge-to-cloud use cases?

At a fundamental level, we can think of the cloud as a connected set of nodes (or physical hardware machines or computers) dispersed into different locations. Applications, services, and programs run on those nodes or devices and are available anywhere via the internet. Initially, these nodes were all just computers located in data centers. We are now seeing the ability to have what is called edge nodes. These are smaller, more robust devices closer to the user, which can run applications from those locations. For example, we can now consider things as small as automotive components, telco systems, and handheld devices as edge nodes. The containers previously running on the machine located in the data center can now run on one edge node.

Because we are still leveraging containerization, all the previous threats I mentioned apply. There is one additional primary concern, with the node being a computer in a data center. We benefit from all those layers of security and defense in depth that the secure data centers provide. However, when we now have edge nodes that can be things as small as handheld devices, they become a lot more accessible and do not have all the protections that the machines in the data centers have. To help counteract the potential security threat, we leverage various hardware-level security controls such as secure boot and anti-tamper. These make it harder for malicious actors to compromise a system even if they can access it.

For anyone looking to step into the intelligent system space and leverage cloud-native technologies such as containerization, reach out to Wind River and ask us about a security assessment. Then, based on your goals, we can provide specific guidance and technologies (including open source) that you can use to secure and transform your system.