What’s this “D” word everyone is talking about?
Oh.. you mean Docker!! The latest buzz word everyone is talking about and every MNC is running after to grab it’s share. So, what’s all this Jazz? Let me start with a quick introduction, Containerization provides a simple and lightweight counterpart to full virtualization which encapsulates only the application rather than the full operational stack. Docker is a containerization tool, it makes it very easy to create, deploy, maintain and run applications using containers.
Containers enable developers to easily create, deploy and run any software application as a lightweight, self-sufficient container, which can run virtually anywhere and is also very portable. “Containers gives you instant application portability.” In addition, they are super easy to deploy in a cloud and their whale mascot is super cute.
Fig: Docker Architecture; Picture reference : xenostack.com
It’s impact? Large players like Google, Amazon, Microsoft, RedHat and IBM are making big bets on containerization. Also, several startups are targeting this technology and building orchestration and CRM platforms on it. As one prediction goes: “The application container market will explode over the next five years.” So, it’s very important for us (especially security folks) to understand this new technology and what it holds for future of Enterprise Security.
Picture reference : BestDevOps.com
Containers vs traditional VM’s
Now you might be asking, application virtualization exists in VM, in fact I’m already running it, so what’s tasting different in my traditional Banana Milkshake?
Well you’re not wrong, by nature they serve the same purpose, but are architecturally different, in this case we just give you a Milkshake and you replace the Bananas with whatever you want. Let try to explain this better..
The key difference between containers and VMs is while VM’s are virtualizing and abstracting the entire physical device, containers are abstracting only the OS layer.
Containers are an abstraction of just the top layer i.e the application layer (this can be compared to each container being a software application in itself). Several containers have one base OS and are not yet hybrid (should be either Windows containers or Linux containers)
VMs are an abstraction of the entire stack which means that each VM is a full replica of a physical machine. VM’s use one physical server (also called bare metal server) to run the equivalent of many servers and each of these individual servers is called a VM. So, while multiple VMs run on one physical machine, each VM has its own Operating System, applications and their related files, libraries and dependencies.
Fig: Comparison between Containers and VM’s; Picture reference : Cybrary.com introduction to docker
Containers use shared operating systems. This means they are much more efficient and very fast compared to hypervisors in availability and handling of resources. Instead of fully virtualizing the entire hardware stack, containers will rest on a single OS instance.
This does not mean VM’s will become useless, they have their own importance. VM’s are very useful when several applications are to be run on multiple servers and hardware separation is required. But, if you need to run many *copies* of a single application, containerization offers some compelling advantages.
Where’s the Security Part?? Ah.. there it is!
All this awesomeness obviously comes with some security concerns. The same elements that make containers so lightweight and agile also make them a challenge for security.
- Sincle underlying OS is shared, an attack on a vulnerability on the host OS lead to a compromise of the entire stack and all containers in it.
- Traditional Security mechanisms target the host and will not have full visibility of the stack.
- Use of micro-services transforms a small number of workloads into 10s or 100s of containers that need to be managed.
- Since containers are so easy to spin up, an overwhelming number of containers will be created and traditional network and endpoint controls will not be able to secure them.
- A new attack surface is born through the APIs and control plane, which increase the complexity in bringing the actual computing services, exposing application internals.
Style of attacks
Fig: Some Attack scenario’s in Containerization
As enterprises gear up for this new technology and its rapid expansion, one main concern is keeping count of how many containers your Dev’s actually spin up. Let’s face it, Dev’s don’t listen to anything you say, they will find the easiest way to complete an application and will most definitely write a script to spin up containers as fast as McDonalds make its burgers.
But here are some general best practices to ensure nothing majorly (again I said majorly) goes wrong:
- Lifecycle Management
Majority of the security lies in managing the lifecycle of these containers. By that we mean creating, deploying, maintaining and destroying these containers. We strongly recommend that when updating a container, you test the entire stack from a security perspective instead of just the updated layer.
- Information Management
Sensitive information such as secrets (e.g., SSH keys, passwords, tokens, TLS certificates) need to be encrypted and stored in a Secrets Manager (e.g., Docker Swarm, HashiCorp Vault) and not at the host level.
- Access Control
Large organizations can incorporate role-based access control (RBAC) and use directory solutions such as Active Directory to manage permissions for all personnel of the organization.
- Docker Image Authentication
Checking the authenticity of all images before downloading them from untrusted sources is essential. To avoid introducing new security bugs, use images that are digitally signed and security tested by either Docker’s Security Scanning Services or trusted parties only.
In order to avoid security vulnerabilities, always use base images that are reviewed and scanned by Docker’s Security Scanning Services or use a base image that is digitally signed by Docker Content Trust.
- Resource Utilization
To reduce performance impacts and denial-of-service attacks, it is a good practice to implement limits on the system resources that the containers can consume. If, for example, a web server is compromised, it helps to limit the impact to the other processes that are running on a host.
In conclusion, this is a fairly new technology with a tremendous future. Just how the expansion of cloud impacted Enterprise Security, Containerization will have far reaching implications we are not aware of yet and attack surfaces we can’t measure yet. But just as any new technology goes, there will always be attackers and there will always be defenders and it’s important we start today and start now.
Anirudh Rao Kotaru
Attack & PenTest Team