With the acceleration of the pace of enterprise cloud, the cloud native technology represented by container, micro-service and dynamic choreography has brought a strong impetus to enterprise business innovation. However, in the container application environment, because of the shared operating system kernel, the container is only a number of processes running on the host machine, and its security, especially the isolation, has a certain gap compared with the traditional virtual machine. In the process of application container and K8S, a large number of security risks based on container platform have been exposed successively in recent years. How to guarantee container security has become the most concerned issue for enterprises.
On July 9, Tencent Security officially released Tencent cloud Container Security services products TCSS (Tencent Container Security Service), Tencent cloud Container Security services for enterprises to provide Container asset management, mirror Security, runtime intrusion detection and other Security services, Ensuring the whole life cycle of container from image generation, storage to runtime, and helping enterprises to build container security protection system.
(TCSS helps build native and reliable container application security system)
01
Cloud native era container status
Container is one of the cornerstones of cloud native. As a computing unit, it runs directly on the host kernel in the cloud native environment, and has the advantages of less system resource occupation, large-scale automatic deployment and strong elastic capacity expansion capacity. In addition, containerization makes rapid integration and deployment possible in the development process, which greatly improves the efficiency of application development and program running.
Therefore, more and more enterprises to choose in a production environment using a container architecture, according to the “cloud native user report of 2020 in China” (hereinafter referred to as “report”), has been more than 6 into the user in a production environment using the container technology, 43% of the users have the container technology applied to the non-core production environment.
However, because of its poor isolation, short survival time and other characteristics, containers have become vulnerable to network attacks. A 2019 Tripwire survey of 311 IT security professionals found that 60 percent of organizations have experienced container security incidents, and the report’s data shows that 63 percent of users consider container security to be an urgent need.
02
Common container security risk scenarios
Run the risk
Containers share the host operating system kernel, and a defect in isolation could cause the container to escape. Container escape is also a container-specific security problem, which directly affects the security of the underlying infrastructure. It can be divided into three categories: the first is escape caused by improper configuration, such as allowing sensitive directories to be mounted; The second category is the container design BUG, such as the RUNC container escape vulnerability. The third category is escapes caused by kernel bugs, such as DirtyCow.
Mirror risk
An image is a static representation of a container, and the runtime security of the container depends on the security of the image. Some official channels or open source community download container images may contain various third-party library files and system applications, and these libraries and applications may have vulnerabilities, Trojans or backdoors, so there are greater security risks.
At the same time, the container image may be tampered with during storage and use, such as being implanted with malicious programs or modified. Once a container is created using a maliciously tampered image, it will affect the security of the container and the application.
Operating environment risk
As the container carrier and the orchestration management software, the host and the container orchestration platform are also one of the important factors for container security. The security of the entire container environment will be affected if there are vulnerabilities in the host or non-standard configuration, non-standard configuration of the relevant environment of the container software or non-standard configuration of the choreographer application.
For example, Tesla’s K8S cluster on Amazon was invaded in 2018. The reason was that the cluster console was not password protected. After the intrusion, the attacker found AWS access credentials in a POD, and obtained Tesla’s sensitive information by means of these credentials information.
03
Tencent TCSS solution to escort cloud container security
In order to solve the problem of container security, tencent security combined with more than 20 years of practical experience, network security has launched a covered container asset management function such as intrusion detection, image security and runtime of tencent cloud (TCSS), container security service products through asset management, image security, runtime security, security baseline four core ability to protect the whole life cycle of container security, Help enterprises quickly build container security protection system.
Asset management
TCSS container security service provides automatic and fine-grained asset inventory function, which can quickly count out key asset information such as containers, images, mirror warehouses, hosts and so on in the running environment to help enterprises realize asset visualization. At present, TCSS asset management module has supported 9 kinds of asset information statistics.
(Core product function: asset management)
Image security
TCSS container security service provides “one-click detection” or “timing scan” for mirror image and mirror warehouse, supporting multi-dimensional security scan for security vulnerabilities, Trojan viruses, sensitive information and so on. In terms of sensitive information, it can detect sensitive information leakage events, including root startup, code leakage, authentication information leakage and so on, to prevent sensitive information leakage.
(Core product features: Mirror security)
The container security anti-virus engine and vulnerability engine independently developed by Tencent, based on Tencent’s strong security data foundation, can share Tencent Housekeeping Virus Database and Vulnerability Database, while maintaining malicious sample exchange and cooperation with traditional anti-virus software, bringing strong support for security data detection. The security vulnerability database includes all CVE vulnerability databases, open source and commercial intelligence databases, and Tencent security laboratory vulnerability databases. Trojan virus detection based on the Tencent cloud nationwide 10 billion samples, covering a large number of viruses, Trojan, botnet and other malicious code samples.
Tencent self-developed TAV engine, efficient killing binary Trojan virus, through a number of international third-party evaluation agencies certification, virus detection rate of 100%. Strong basic capability and comprehensive cooperation ecology, ensure the continuous evolution of TCSS, continue to provide mirror security support.
Runtime security
In order to guarantee the container runtime security and realize the immediate warning and response of the intrusion behavior, it is necessary to carry out the real-time monitoring of the various indicators of the container runtime. The runtime security detection functions of Tencent cloud container security service include multi-dimensional intrusion detection engines such as container escape, rebound Shell, abnormal process, file tampering, high-risk system call and so on.
Among them, the abnormal process, document tampering, high-risk system call belongs to a senior defense function, through the rich system and user custom inspection rules, real-time monitoring process an abnormal startup behavior, violation of security policy file access behavior and the container by Linux system call behavior may cause security risk, and real time warning notice or intercept.
Core product features: runtime security
Security baseline
Based on the security baseline function provided by TCSS, the container, mirror, host, Kubernetes orchestration environment can be regularly tested for security baseline, to help the container environment compliance, avoid security problems caused by configuration defects, reduce the attack surface.
At present, it supports four dimensions of “container, mirror, host, K8S” detection to help customers check the security problems caused by improper configuration of container operating environment.
04
Three advantages help the basic security of the cloud native era
TCSS container security service adopts super-converged architecture, supports easy installation and lightweight deployment, and helps customers avoid container security concerns and focus on their core business.
TCSS strictly limits the occupancy of Agent resources. When the load is too high, it actively degrades to ensure the normal operation of the system. When the load is normal, the consumption is extremely low. The actual measurement shows that CPU resources occupy less than 5% and 30M memory. TCSS is compatible with CentOS, Debian, RedHat and other mainstream operating systems. It can be deployed with one button to realize automatic online upgrade. Once installed, it will be maintenance-free for a lifetime, making customers worry free throughout the whole process.
TCSS is empowered by Tencent Cloud’s powerful intelligence and threat perception capabilities. Tencent has the world’s largest and most comprehensive black and gray large database. TCSS container security service uses Tencent security database to conduct association analysis on malicious program samples found in container environment and perceive threat behaviors in container environment based on threat intelligence. Tencent security expert team of more than 3500 people focus on Tencent cloud security construction, bringing practical strength guarantee.
The traditional security system has poor adaptability on the public cloud, cannot effectively detect new threat forms, and lacks automatic response and disposal means. At present, Tencent TCSS has been applied in many industries, helping customers overcome the problems of various types, large quantity and difficult inventory of assets on the cloud, and greatly improving customers’ cloud security level and efficiency of safe operation and management.
In the cloud native environment, the proportion of enterprises delivering applications through micro-services is increasing, and container security has become an indispensable part of cloud security. In the future, Tencent Security will continue to improve the container security one-stop solution, promote the industry to build a cloud native security ecology, to provide more comprehensive protection for customers’ application security.
Click on theTencent cloud container security service internal test, make an appointment to apply for the internal test of Tencent cloud container security service.