Binkski - stock.adobe.com
How to apply zero-trust models to container security
Containers have become a common fixture in software development, but they have resulted in new concerns for security teams. Is zero-trust the answer to tackling them?
Organisations are increasingly replacing archaic software development approaches with containers, which allow them to develop, deploy and scale applications much more quickly than traditional methods.
But despite these benefits, containers are not perfect. Their adoption has also resulted in new challenges for security teams, particularly around data protection, container image vulnerabilities, cyber attacks, unauthorised access and a whole host of other risks. Could zero-trust models mitigate these? And if so, how can organisations apply them to container security?
Although containers provide greater efficiency and scalability for development teams, they can have significant implications for security. Often, traditional perimeter-centric security models are not suitable and new approaches are needed.
Kevin Curran, IEEE member and professor of cyber security at Ulster University, says: “The dynamism of containers can cause problems for traditional security environments, due to the complexity involved in networks, overlays and dynamic IPs, mixed with the limitations of traditional firewalls which struggle to identify nefarious activity.”
But that is where zero-trust security models can help. Curran explains that when combined with policies based on identities of workloads, they allow enterprises to build a picture of what is communicating over their network. “Here, zero-trust based on identity can prevent compromised workloads from communicating as each identity will not be recognised,” he tells Computer Weekly.
“The need for a zero-trust security model has arisen in part because enterprises no longer tend to host data in-house, but rather through a variety of platforms and services that reside both on- and off-premise, with a host of employees and partners accessing applications via a range of devices in diverse geographical locations. This means the traditional security model is no longer fit for purpose.”
Curran says zero-trust security can be implemented by updating network security policies, validating each device logging into the network, securing networks with a variety of network, perimeter and microsegmentation, implementing multifactor authentication and conducting periodic reviews of user access.
He adds: “The main applications for zero-trust security require new approaches, such as using network/microsegmentation based on users and locations. It also requires enforcement of identity and access management [IAM], next-gen firewalls, orchestration, multifactor authentication and file system permissions.
“Ideally, this is something that is done slowly in steps, as it entails pilot projects and tweaks in a lab environment before deploying. It is crucial to ensure that the zero-trust infrastructure is seamless for employees.”
Catalyst for zero-trust
Many experts believe the need for zero-trust security models is growing along with the increased adoption of containers across the enterprise landscape. Neil Thacker, CISO of software firm Netskope, agrees with Curran that such models are paramount for security teams deploying containers.
Thacker says: “Cloud-based applications and container-based applications – not to mention cloud-based, container-based applications – are a further catalyst for interest in zero-trust network access [ZTNA], specifically because of the disregard both cloud apps and containers have for traditional perimeter approaches to security.”
He says security teams need consistent security controls across all applications as a fundamental rule, regardless of whether they are based on a traditional stack, are virtualised or hosted in containers.
“While security must not stand in the way of the inherent benefits of containers, such as portability, the controls and methods of securing access to containers is key,” says Thacker. “Firewalls aren’t useful because they are not app-aware, and even next-gen firewalls that apply controls to the application layer still require illogical network arrangement and overly permissive security policies to account for the rapid changes of network IP addresses within containers.
“This is why cloud-based ZTNA appeals to organisations, because instead of restricting connectivity and restricting the potential benefits that containers offer, ZTNA can prioritise the application, however and wherever it is hosted.”
Making containers impenetrable
Containers may be a powerful tool for developers, but they are becoming a security nightmare as cyber criminals increasingly target them. By gaining unauthorised access to containers, hackers can cause all sorts of mischief, potentially across a large virtual environment.
David Warburton, senior threat evangelist at application threat specialist F5 Labs, says: “If an attacker can leverage vulnerable code within a container, they may be able to impersonate that service and access data never intended to be made available. Decades-old vulnerabilities, such as injection attacks, apply just as much to modern code running inside a container as they do traditional, monolithic apps.
“The difference now is that containers, and the microservices they provide, have exponentially increased the surface area available for attack, putting data at greater risk. In addition, network-related problems, such as access control, load balancing and monitoring, that had to be solved just once for a monolith application, must now be handled separately for each service within a cluster.”
By applying zero-trust models, security teams can mitigate these threats. Warburton adds: “A key tenet of zero-trust is that every single request should be secured, regardless of who or where it came from. This model needs to be applied to containers so that all communications are encrypted, even those between internal services.”
To prevent unamortised access, organisations must enforce strong authentication mechanisms for their containers. “Mutual digital certificates should be used to ensure only trusted containers can communicate with one another. Finally, strong, role-based access control is needed to ensure only authorised users and services are performing actions that they have explicitly been given permission for,” says Warburton.
“Create a service mesh security to be handled in a more efficient way by combining security and operations capabilities into a transparent infrastructure layer that sits between the containerised application and the network. Emerging today to address security in this environment is the convergence of the zero-trust approach to network security and service mesh technology.”
Read more about containers
- Kubernetes persistent container storage that runs from inside the cluster will add application storage profiles for applications such as Apache Kafka, Elasticsearch and Postgres.
- Adopting containers promises great organisational efficiency advantages, but the fast-evolving technology can be problematic for security teams. What do CISOs need to know to safeguard containers?
- Containers have revolutionised app development but pose many security challenges. Uncover how container vulnerability scanning can help and why to consider open source tools.
Sandy Carielli, principal analyst at market research company Forrester, warns of a disconnect between developers adopting containers and security teams left to pick up the pieces. She says: “Development teams are eager to adopt containers due to their scalability and cost-efficiency, but one of the realities is that dev makes the containerisation decision, and then security finds itself going along for the ride and figuring out the security implications and requirements.”
Overstuffed images, in particular, are a major challenge in container security, says Carielli. “Developers typically pull images from repositories, and those images contain more tools, features and permissions than the developer needs for their particular use case,” she explains.
“However, dev teams rarely have time to scale down the image to just the essentials. DevSecOps teams need to set time aside to look at the images they are using and remove the functions and permissions that they don’t need. As a basic example, don’t run containers with root permissions.”
Carielli says microsegmentation is another aspect of zero-trust that applies to containers. “Organisations leverage application microsegmentation tools to evaluate both north-south and east-west traffic and manage the flow of data among application components – these could be containers, APIs or serverless functions,” she says.
“Runtime container security tools map the flow of data between containers, allow you to set policy on how containers interact, and can spin down containers that unexpectedly change configuration.”
Creating an effective security strategy for containers
When deploying containers, organisations are effectively exposing themselves to myriad security problems that must be mitigated if they want to get the most out of these technologies.
Benoit Heynderickx, principal analyst at the Information Security Forum, says: “The lightweight nature of containers removes the need for traditional IT infrastructure security controls such as a constant patching cycle and the extreme reliance on the firewall for protecting a network-based perimeter.
“But it brings new types of risks due to the rapid lifetime of containers, while adding increased networking complexities and placing emphasis on the need to apply secure design principles early on, such as secure coding practices.”
With a zero-trust model, organisations can ultimately create an effective security strategy for containers, says Heynderickx. “By focusing on authenticated identities, least privilege principle, defined microsegmentation, traffic monitoring and logging, the model relies on the principle of ‘never trust, always verify’.
“This is a paradigm shift from traditional security models and can only be addressed by deploying it in a phased and defined manner, focusing on specific groups of applications, such as the most sensitive ones for a start.”
Heynderickx says organisations applying zero-trust models to container security should be supported by strong coding practices for all application development activity. This, he says, will put the organisation in a strong position to respond to the growing demand from developers to use rapid deployment platforms such as application containers.
Heynderickx adds: “Modern businesses can therefore benefit from using agile development technologies to deploy secure applications in a fast manner for their demanding customers.”
Understandably, organisations want to roll out new software quickly and efficiently to stay ahead of the curve and achieve competitive advantage. So containers are the perfect answer. However, their adoption has resulted in clear security challenges, and it is crucial that firms take steps to address these if containers are to return value on investment. Therefore, developers must work with security teams when they look to adopt and use containers.