Container security is not a unitary action but a multifaceted process. It involves securing the build environment using secure code control and other strategies. The procedure also necessitates securing containers’ contents via code analysis and unit tests.

At some point, organizations need to develop a plan to secure their containers in production systems, as well. Provided below are a few steps that organizations can take to strengthen their container runtime security. These recommendations are broken down into three categories: runtime security, platform security and orchestration manager security.

Runtime Security

Ensure the Security of the Control Plane

Limit access to two administrative accounts, one with responsibility for operating and orchestrating containers and the other for system administration. Network, physical and logical segregation should also be implemented for on-premise and cloud/virtual systems.

Resource Usage Analysis

Any external resource usage could serve as a potential attack point. It’s therefore good hygiene to limit these ingress and egress points using third-party tools that can monitor runtime access to environment resources inside and outside the container.

Selecting the Right Image

Create a trusted image repository and ensure that the production environment can pull containers from trusted sources only. Organizations should also look to procure a solution that’s capable of checking application signatures and rejecting containers that are not properly signed.

Immutable Images

One of the easiest ways that organizations can prevent attackers from manipulating their runtime containers in real time is by disallowing SSH connections. They should also keep track of changes and/or version control.

Time to Live

It’s possible that a container could be susceptible to a new vulnerability if it’s been live for weeks or months. Organizations should, therefore, limit container lifetimes to a couple hours or days at most, to update the image and to replace running containers using the old (Read more...)