Container Security - Issues & Challenges
Until a few months ago, terms like Containers, Kubernetes, Dockers would scare me and I would hide away if somebody asked me any question on them. I was comfortable in answering any questions related to Cloud Security except 'Containers'.
Today, as CaaS plays a crucial role in Enterprise IT and has grown a lot of popularity in last few years, it was time for me to study more on this topic and do my research on the offerings of Container Security Products that are available in the market. I did a quick vendor comparison and found that while most of the vendors provide some capabilities if not all out of the five key components of container security i.e., Threat Detection, Continuous Visibility, Advanced Traceability, Build-Time & Run-Time Integration, and Continuous Audit and Compliance, there are still a lot of inefficiencies reported by the Gartner Peer Insights.
As per Gartner, “Direct incremental revenue for container management will see rapid growth, reaching $944 million by 2024, with compound annual growth of 34%. Adopters will select from a variety of container management software and cloud service offerings, with varying growth characteristics and functionality.” With this increased adoption, improving container security architecture and automation has become even more critical.
So here are my findings that I wanted to share via this blog that may be helpful for somebody who is trying to identify the gaps in their existing product, find areas of improvement for the existing features, is open for inspiring ideas for their next roadmap items or maybe just eager to learn more about the Container Security Products in general.
As per the existing customers, the current inefficiencies in the container security products are:
1. Web Application and API Security
2. GUI – Windows agent is still missing. Even the most sophisticated tools do not have a windows-based GUI available, and the system can monitor only up to 50-70 VMs at one time. Adding users using CLI interface is another raised concern. Minimum control with GUI at the endpoint i.e., client interface does not allow much of the interaction as most of the controls are command line driven.
3. Service and Support for Alerts - Alerting System generates a lot of false positives which creates additional overhead for organizations. A lot of solutions available in the market do not even have service or support available for Alerts. Some of them who do, do not provide any context or links explaining what the alert was all about. Formatting is also not possible while exporting the reports
4. Configuration Error Detection - Scope of improvement when it comes to event logging, special need for organizations who are sensitive when it comes to change configuration logging. Also, log inspection needs to be configured out-of-default which if turned on in default mode will consume database usage quite largely.
5. File Integrity Monitoring (FIM) that allows the customer to filter out expected changes based on the process lineage
6. Dashboarding and Reporting were reported as a common concern for all the tools that are available in the market. Limited Customization of reports is available
7. Malware Scanning - In most of the solutions, malware scanning, and detection are only supported for Linux container images. Windows containers are not currently supported. Anti-malware modules have big issue due to its memory consumption if not properly configured, this cause issue in several asset that has low CPU threshold.
8. Compliance and Audit – A lot of customers are looking for a wide-range of compliance policies and standards like HIPAA, NIST 800-190, and CIS which are not available even by the leading vendors
9. File Lock during scans feature – To have the container files locked during scanning
10. Missing support for .NET on Windows Core
11. Security – Certificate Signing is missing. Not all the tools’ consoles certify images before redeploying. i.e., marking images to be clear of malware or vulnerabilities
Self-Monitoring for Performance Data
There also needs to be a shift in your security strategy to stay focused on runtime security. It can be tempting to relax once you feel confident you scanned for all the vulnerabilities before putting a container into production, but threats such as zero-day attacks are always looming.