Containerization Security: What Security Pros Need To Know: Diana Kelley and Ed Moyle

Containerization Security: What
security pros need to know

Diana Kelley and Ed Moyle
Key Points
Containers are literally redefining the technology landscape:

In the datacenter
Among development teams
In the cloud, can be hidden gotchas
Segmentation issues
Management issues
Being aware of these areas can help you prepare for them
Helps in prep as new areas of usage are discovered
Areas for possible tool or process investment
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Agenda
Level-set on containers
Container wins and success stories
Cloud security impacts
Minimizing risk
Container Level-set
Segmented virtual environment

Provides an area within which applications
can execute without interfering with each
other
Can contain middleware, libraries,
configuration, etc.
Conceptually similar to chroot, jail
filesystems, lpars, etc.
Examples
Containers
Orchestration
How it works
Source: dotCloud
Comparison with virtual machines
Source: ZDNet
Drivers
Decreases development time due

to migration of containers between
environments
Increases allocation density in the
DC
Source: WorkAsOne.com (as a function of search interest)

Cloud Integration
Native support; examples:
Docker Cloud
dotCloud
Tutum
StackDock
Abstract (virtual) support; examples:

Cloud Foundry (Warden instances via Diego)
Success Story #1
Success story: Flux7*
Scenario:
Bug in production code push results in site-wide outage
Outcomes:
Admins created dev container sandbox to debug (~60 seconds, 2
commands)
Dev located issue easily because of ease in reproducing issue (~20
minutes)
Snapshot allowed near-instant restore to patch
*Excerpted from: http://blog.flux7.com/blogs/docker/docker-saves-the-day-at-flux7
Success Story #2
Success story: Orbitz*
Scenario:
250 services, focus on SEO and SEM landing pages
Multiple environments, multiple dev teams; increased focus on
microservices
Outcomes:
Achieved consistency between environments
Decrease in delivery time from 2 weeks to 10 minutes
*Excerpted from: https://www.docker.com/customers/orbitz-enables-continuously-deployed-microservices-docker
The fine print
A few things to keep in mind, particularly in cloud-based usage

Attacks against containers (possible now, will likely get better as
technology matures)
Issues at scale; weve solved them before, now theyre back
Container security
At level of individual containers,

some security impacts of note
E.g. namespaces
Segmentation issues
See Containers dont Contain
from Dan Walsh
Not our focus today, but useful for
pros to know about
Source:
http://www.maritimenz.govt.nz/images/Inci
dent-area/Rena7.jpg via Dan Walsh
Challenges at scale
Technical Challenges
Sprawl
Sleeper Cells
Unexpected re/allocation or movement
Compounded complexity
Process
Regulatory/Compliance
Entitlements
Sprawl
Remember this?
Now its this:
Source: Netflix
Cases and Impacts
Causes:
Proliferation of containers with no clear understanding of how or
when theyll go away
Lack of controls over who/how/when containers can get created,
moved, copied, or duplicated
Impacts:
Exponential decrease in ability to manage environment (without
automation)
Performance issues
Asset management challenges
Sleeper cells
Old, non-maintained containers

Stale libraries
Old code
Overlapping/redundant with other instances
Whos maintaining this stuff?

If you dont know or cant find out, watch out
Source: ABCNews
Causes and impacts
Causes:
Lack of management over what containers are fielded, what they
do, and whats on them
Unclear processes for maintenance and hygiene
Impacts:
Challenges enforcing security of/on specific containers
Potential security vulnerabilities in individual applications
Reallocation (and movement)
Containers can migrate from host

to host
Can be duplicated, mirrored,
destroyed
Seemingly minor changes can
have asymmetric impact when
coupled with a change in
environment or context
I knew who I was this morning, but

I've changed a few times since
then.
-Cheshire Cat
Causes and impacts
Causes:
Lack of process around movement/modification of containers in
specific environments
Unclear maintenance/control processes
Impacts:
Asset management issues
Challenges maintaining reliable inventory
Difficulty deploying/maintaining security controls for specific
applications
App
Compounding complexity
Container
Virtual Host
Physical Host
Causes and impacts
Causes:
Intersection between existing technologies and containers:
Cloud (hybrid, private), virtualization, DC

consolidation, colocation, etc.
Impacts:
Difficulty managing the environment
Control selection, implementation,

operation, etc made more difficult
Process issues
Regulatory and compliance challenges

Caused by complications of containers changing or in mixed zones
Causes potential regulatory and audit impacts
Entitlements
Proliferation of entitlements within individual containers
Issues with access, segregation of duties, user enforcement
Licensing
Specific software licensing not being adapted to a containerized
environment
Potential violation of licensing models
Getting a leg up
Things you can do right now:
Lock down containers

Beware multi-tenancy
Consolidate inventory
Discovery
Lock down individual containers
Challenges are lessened if individual

containers are hardened and locked down
Resources section at the end with links for how
to do this
Useful first step, but will not get you all the way
there
Multi-Tenancy
Understand attacks against

segregation in a container context
You may choose to limit multi-tenancy
situations (e.g. public cloud) for
critical/sensitive apps until you have
assessed, implemented controls
Inventorying
Just like you would for physical or virtual

hosts, build out a reliable inventory
What is it purpose and function; whats
on it
Where is it physically and logically
Who owns it contact point for issues
Incorporate processes for keeping this

maintained and accurate
Discovery
Automated discovery can help gather information

about what containers are out there
Service discovery features can help here
Tools vary depending on stack
Be aware of discovery features on platform/s
you are using
etcd
consul
Zookeeper
doozerd
Source: United States Geological
Survey Museum
Summary
Summary
Containers can have tremendous utility and business value

However, issues at scale mirror challenges weve overcome in
the virtualization world
By becoming educated on these issues and taking a few steps
now, you can help to mitigate these issues before they become
problematic
Resources
Dan Walsh Articles: http://www.projectatomic.io/blog/author/dwalsh/

Docker Security Portal: https://www.docker.com/docker-security
Introduction to Container Security:
https://d3oypxn00j2a10.cloudfront.net/assets/img/Docker%20Security/WP_I
ntro_to_container_security_03.20.2015.pdf
CIS Docker Benchmark: https://benchmarks.cisecurity.org/downloads/showsingle/index.cfm?file=docker16.100
DevOps and Container Security:
http://csrc.nist.gov/news_events/cif_2015/research/day1_research_430530.pdf
ISACA Containerization Guidance

Containerization Security: What Security Pros Need To Know: Diana Kelley and Ed Moyle

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Containerization Security: What Security Pros Need To Know: Diana Kelley and Ed Moyle

Uploaded by

Copyright:

Available Formats

Containerization Security: What

security pros need to know

Containers are literally redefining the technology landscape:

Segmented virtual environment

Comparison with virtual machines

Decreases development time due

Source: WorkAsOne.com (as a function of search interest)

Native support; examples:

Abstract (virtual) support; examples:

Success story: Flux7*

*Excerpted from: http://blog.flux7.com/blogs/docker/docker-saves-the-day-at-flux7

Success story: Orbitz*

*Excerpted from: https://www.docker.com/customers/orbitz-enables-continuously-deployed-microservices-docker

The fine print

A few things to keep in mind, particularly in cloud-based usage

At level of individual containers,

Now its this:

Cases and Impacts

Old, non-maintained containers

Whos maintaining this stuff?

Causes and impacts

Reallocation (and movement)

Containers can migrate from host

I knew who I was this morning, but

Causes and impacts

Causes and impacts

Cloud (hybrid, private), virtualization, DC

Control selection, implementation,

Regulatory and compliance challenges

Things you can do right now:

Lock down containers

Lock down individual containers

Challenges are lessened if individual

Understand attacks against

Just like you would for physical or virtual

Incorporate processes for keeping this

Automated discovery can help gather information

Containers can have tremendous utility and business value

Dan Walsh Articles: http://www.projectatomic.io/blog/author/dwalsh/

You might also like