When it comes to securing a public cloud infrastructure, many organizations are under the impression that the workloads they run are secured by their cloud services provider. This just isn’t so, and the lackadaisical attitude has resulted in a number of high-profile breaches, including the exposure of 1.8 million records pertaining to U.S. voters.
These events continue to occur despite the steady reminders from Amazon (and others) that public cloud, when it comes to security and regulatory compliance, is a shared responsibility model. As you can see, the reality is organizations have to keep their workloads in the cloud secure. Increasingly those workloads are software containers.
Right now software containers are hot as enterprises seem ways to workloads to easily move from one environment to another environment. The application container market is one of the most rapidly growing technology markets today. According to the Application Market Research Report the global application container market is expected to grow from its 2017 $890 million in to $4.4 billion by 2023. That’s a compound annual growth rate of roughly 31 percent.
While application containers promise to help developers to more effectively build and manage applications, more readily adopt microservices, and improve software environment portability — they can also increase risk. This is especially true if not managed properly, as we covered in a number of posts including When it Comes to Container Security Enterprises Are Their Own Worst Enemy, The significant impact of containers on security, and the Five keys to consider when it comes to securing containers.
While traditional applications installed on servers require those dependencies to run, containers are software packages that include all of the application code and dependencies so that, unlike traditional servers, the application can easily move from one environment to another.
Of course, agility and portability aren’t free. Nothing comes without a tradeoff. And containers, just like with virtualization, make it all too simple for bad habits to slide in and containers that aren’t managed to security policy or kept up to date to spread throughout the environment. Soon, these poorly managed, or unmanaged, containers pose a significant risk.
Good container and cloud security should provide minimal impact, be as elastic as the cloud service, and be easily to integrate into the cloud and workflow.
Recently, there’s been movement to help rein in container risk.
At AWS:Invent, AWS announced its secure micro-virtual machine manager dubbed Firecracker. Firecracker promises to provide fast and secure microVMs in non-virtualized environments. Additionally, AWS announced AWS Marketplace, which enables AWS users to deploy AWS containers from the marketplace. AWS also announced a private marketplace that enables IT administrators to create their own organizational catalogue of containers from third-parties that are deemed safe for their staff to run.
The CIS (Center for Internet Security, Inc.) recently announced the availability of its Hardened Container Image on the Cmazon Web Services Marketplace for Containers. CIS Hardened Images are cloud-based images secured according to the proven configuration recommendations of the CIS Benchmarks. The CIS Benchmarks are recognized as global standards and best practices for securing IT systems and data against cyber threats. The CIS Hardened Container Image reflects baseline requirements in accordance with applicable CIS Benchmarks to optimize systems running containers. AWS customers can now use the Amazon Elastic Container Service (Amazon ECS) console and AWS Marketplace for Containers website to discover, produce, and deploy container solutions – including the CIS Hardened Images.
The hardened container follows the CIS and Docker guidance published earlier in the CIS Docker 1.11.0 Benchmark [.pdf]. The Benchmark provides guidance for six categories covered:
Host configuration security
Security recommendations that prep a host machine that will run containerized workloads. By securing the Docker host and implementing infrastructure security best practices, a foundation for securely executing containerized workloads.
Docker daemon configuration
Security recommendations to security the Docker server (daemon). This will help secure all instances running from the server by reviewing Docker related files and directory permissions.
Container Images and Build File
Base images and their build files are what guide how the container behaves, which is vital to a healthy container infrastructure.
By securing the launch, risks of the container being infected are greatly mitigated. The guidance in this section of the document for verifying the veracity of the runtime environment.
Docker Security Operations
This section is a solid overview of current security best practices that should be extended to the container environment.
With the container now on now available on the marketplace, it’s easier to make certain that needs to deploy a container can grab a hardened container without much concern.