Containers are on the rise. In a 2020 Enterprisers Project report, the vast majority (84%) of IT leaders surveyed said that their employers were running containers in 2019. That’s up from 73% for the previous year. Moreover, more than half (56%) of survey respondents revealed that they expected their employers to increase their container deployments over the next 12 months.

However, such growth overlooks key security challenges that organizations commonly face when deploying containers. Illustrating this fact, the Fall 2020 edition of StackRox’s State of Container and Kubernetes Security Report indicates that nine in 10 respondents suffered a container security incident in the past year. The experience of these incidents, not to mention the potential of additional security events, had an impact on organizations’ business strategies. Nearly half (44%) of survey participants responded they had delayed deploying an application into production as the result of security concerns.

These findings raise an important question: what types of security challenges are causing these container incidents and motivating organizations to delay deploying their applications?

A Primer on Containers

Before we answer that question, we need to understand why security challenges are emerging at this time. These lightweight virtual machines have been around since the early 2000s, yet developers haven’t begun using them until recently. Subsequently, organizations are only now beginning to realize containers’ potential.

For instance, containers don’t share the host OS kernel during runtime, which means that these software technologies don’t require many resources in order to launch. They’re also small in size. This gives organizations the opportunity to run more containers than VMs on their systems and save some money in infrastructure costs along the way.

In recognition of these and other benefits, organizations are beginning to replace some of their other cloud-based technologies with containers. But this is giving rise to security threats for which security teams are not entirely prepared. Four areas, in particular, make container security a unique challenge for organizations. These are container images, kernel root accounts, user access control, and the web host.

Container Images

Container images are static files that include executable code for running on IT infrastructure as isolated processes. To make this happen, container images contain system libraries and settings, notes TechTarget. They also share the OS kernel with their host machine.

Container images commonly suffer from three security issues:

  • Vulnerabilities: Container images might harbor vulnerabilities that attackers can leverage to escalate their privileges on a container, execute code remotely, and/or move laterally throughout the organization’s container environment in order to compromise data that’s stored in the cloud. Cloud security incidents could place organizations in violation of regulations, data protection standards, and other compliance obligations, thereby placing them in jeopardy of incurring hefty non-compliance fees.
  • Copycat Images: Malicious actors might decide to create lookalike container images in an attempt to trick organizations from downloading malicious content under the guise of trusted, legitimate programs.
  • Untrusted Sources: Administrators might be tempted to download a container image from an untrusted source, but given the possibility that malicious actors modified the image in some way, there’s really no guessing what that image could do.

In response to these security threats, organizations need to implement vulnerability scanning and other security best practices for their container images. Some best practices include, but are not limited to:

  • Avoid Pulling Containers from Unknown Sources
  • Scan Your Images for Vulnerabilities
  • Configure Image Signing and Enforcement

Kernel Root Accounts

In terms of container functionality, the kernel of a machine’s host operating system is important because it addresses the need to simultaneously run different functions of an app. These functions are all supported by interrelated containers that share the kernel, explains phoneixNAP. But there’s an issue: any user receives access to the kernel root account for those containers, meaning they can access the containers that share that kernel. Compromise a user or the kernel root account, and you can compromise all of the connected containers.

User Access Control

This leads us to another important consideration for container security: who has access to the containers? Organizations don’t want to unnecessarily expose their containers to attackers. They, therefore, have an incentive to protect their assets from those who would seek to compromise an employee’s credentials and abuse their victim’s privileges to access containers, pods and other elements of their container environments. They need security measures that can help effectively enforce the principle of least privilege across the organization’s east-west traffic.

The Web Host

Lastly, we need to explore the issue of how containers can affect the web host itself. The Container Journal explains that organizations can use container orchestration systems to limit the exposure to the web host. In particular, organizations can use control groups to limit how many shared kernel and system resources a container might consume and namespaces to restrict what resources a container can see/access.

To make these systems work, organizations need to make sure they configure their control groups and namespaces correctly. Otherwise, they could leave the web host exposed by granting their containers the ability to access too much. Paving the way for a massive security incident, if a malicious actor were to infiltrate this level of access.

The Imperative for Trained Cloud Security Personnel

Containers are just one element of a cloud environment that organizations need to secure. There’s also cloud-based data storage, DevOps, microservices, and more. Given these diverse uses of the cloud, organizations need skilled professionals who understand the unique challenges of attaining security with their containers and other cloud-based assets.

How can organizations find that type of talent? And how can security personnel equip themselves with the experience and knowledge that’s needed to defend organizations?

Both parties should look to the Certified Cloud Security Professional (CCSP). An ISC2 certification is engineered to help security professionals build their careers and gain the necessary vendor-neutral knowledge to better protect cloud-based assets. Certification advances candidates’ understanding of cloud security by emphasizing six different domains: cloud security operations, legal risk & compliance, cloud concepts architecture & design, cloud data security, cloud platform & infrastructure security and cloud application security.

Those who achieve CCSP certification will effectively join a global community of like-minded security who possess a solid foundation on, expanded knowledge of and stronger skill set pertaining to cloud security. CCSP candidates can then use their understanding to effectively implement container security best practices. Along the way, they could earn up to 35% more than their peers who lack certification.