A pair of reports published by Palo Alto Networks makes it apparent that the biggest issue in container security is not how secure the containers are, but rather how they are configured.
Unit 42 researchers within Palo Alto Networks plugged simple search terms into a Shodan search engine to discover 20,353 Kubernetes containers globally, along with another 23,354 Docker containers. Jen Miller-Osborn, deputy director of Unit 42 threat intelligence at Palo Alto Networks, says the number of containers means the probability one of them is likely to be misconfigured is high. Of course, misconfigurations have been the bane of IT existence for as long as most IT professionals can remember. The high number of containers increases the odds that something can go wrong.
Docker Inc., for example, recently lost the keys and tokens for 190,000 Docker Hub accounts because an attacker exploited weak security configurations of key and token storage within a cloud environment. Ladders, an online employment services, leaked more than 13 million user records because of a basic container misconfiguration.
The second research paper from Palo Alto Networks advises organizations to be careful how they deploy containers because the separation between containers and the host operating system they run is not as strong as it should be. The report notes there are now four projects that rearchitect the boundary between containers and the host operating system. Those four projects include IBM Nablam, which builds containers on top of Unikernels; Google gVisor, which creates a specialized guest kernel for running containers; Amazon Firecracker, which relies on an extremely lightweight hypervisor for sandboxing applications; and a Kata initiative from the OpenStack Foundation, which places containers in a specialized virtual machine optimized for container orchestration platforms.
It remains to be seen whether any of these approaches will gain traction. Many organizations simply prefer to deploy containers on existing virtual machines regardless of their size to ensure isolation. However, the size of the container stack ends up being much larger than it needs to be.
Miller-Osborn notes now that containers are starting to achieve critical mass in the enterprise, they are drawing more attention from cybercriminals. In fact, mainstream adoption of containers is one of the primary reasons Palo Alto Networks cited for acquiring Twistlock, a provider of a container security platform. The Twistlock offering will make it possible for Palo Alto Networks to collect a lot more telemetry about the container environment, she says.
In the meantime, she adds, organizations should not assume containerized applications are any more or less secure than legacy monolithic applications. Each platform presents different cybersecurity issues and challenges that need to be addressed. The biggest advantage containers may have over legacy monolithic applications is that once an issue is exposed, the process of ripping and replacing any offending containers is a lot faster than trying to patch a monolithic application. And when it comes to cybersecurity attacks, most organizations already know all too well that every second counts.