Securing Containers: Understanding and Mitigating Vulnerabilities

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Adoption of containers as a means to package and run applications continues to surge. There are many benefits driving this trend, first and foremost for developers, but also extending across the entire application lifecycle.

While container adoption continues to soar, organizations face a number of critical challenges in protecting the secrets and credentials necessary for a containerized workflow.

In a recent On the Front Lines Webinar, we explored several container-specific security vulnerabilities and the techniques to address them, which are applicable to Docker, Kubernetes and popular platforms such as OpenShift and Cloud Foundry.

To set the stage, we examined a typical Docker workflow. This includes the initial client request to the host (which comprises the Docker daemon, containers and images) and the registries that house all of the images. The Docker daemon is a service that runs on the host OS and manages both the containers and images. It looks out for API requests from Docker and also acts as the communication layer to manage other services within Docker. (You can read more about this here).

There are six specific points throughout this Docker ecosystem that could be breached at any given point in time and lead to either malicious or unintended consequences. Following is a look at each of these steps, along with best practices to mitigate risk.

  1. Unsecured access to the Docker API. Users added to the “Docker” group can use all Docker functions that utilize images and containers. To mitigate risk, do not add all accounts to the “Docker” group and enforce least privilege policies to limit commands that can be sent by a user.
  2. Passing secrets from host to container using environment variables at run time. Secrets can be passed through to the Docker container at run time using the “e-“ flag. These secrets have to be passed through in clear text. Any automation scripts will have to define these variables. As part of this, any user with access to the Docker API will be able to grab the secret information. It’s essential to limit commands available to the user and secure host access by monitoring privileged user sessions.
  3. Running containers with the privileged flag. Running containers with the “—privileged” flag provides the container with direct access to host elements such as devices and other pieces of hardware. To minimize the risk of data breaches and outages associated with uncontrolled access, it’s important to enforce least privilege policies across your Docker hosts.
  4. Running containers as root. By not declaring a user for each container or using the “—user” flag, container users have access to the same GUID and UID as the host machine – even if the passwords are different. This can lead to the container(s) gaining access to files on the host machine if they are mapped within the container. It’s important to always map to a known user at the end of your Dockerfile and also restrict access to Docker run time commands.
  5. Insecure image registries. All Docker containers come from one or more Docker registries. With unsecured access to these registries, an attacker can manipulate your images to add code – without your approval or knowledge. To prevent this from happening, you should always secure your registries with SSL/TSL, create distinct users, store user(s) and certificate information in a secure vault and regularly rotate credentials.
  6. Unsecured access to the Docker host(s). All of your efforts to protect your Docker APIs, image registries, etc. will be for naught if an attacker can access your host machine(s). Therefore, all SSH and web page connections to your Docker/orchestration host machine should be monitored and recorded, and all root accounts should be managed, stored and regularly rotated in a secure vault.

While there’s no question that containers are here to stay, they have introduced a host of new security challenges that must be addressed. Now is the time to assess your container environment and begin protecting privileged access.

For tips on getting started, tune in to the full webinar, check out CyberArk Conjur and its comprehensive integrations with leading container platforms or contact your CyberArk team for a full evaluation.

The post Securing Containers: Understanding and Mitigating Vulnerabilities appeared first on CyberArk.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About CyberArk
CyberArk is the only security company that proactively stops the most advanced cyber threats – those that exploit insider privileges to attack the heart of the enterprise. The company has pioneered a new category of targeted security solutions to lock down privileged accounts and protect against cyber threats before attacks can escalate and do irreparable business damage. CyberArk is trusted by the world’s leading companies – including more than 40 of the Fortune 100 – to protect their highest value information assets, infrastructure and applications, while ensuring tight regulatory compliance and audit requirements.
Promoted Content
Advanced cyber attacks involve compromised privileged accounts. Cyber attackers target them because they represent the keys to the IT kingdom. Effective enterprise security includes proactively protecting privileged accounts. Industry experts have identified practices that increase an organization’s vulnerability to a cyber attack. How many of these are common at your organization?

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?