Not once or twice have container security issues caused corporate data to be erased by hackers.
Some time ago, a hacker gained access to the NewsBlur database, deleted 250GB of raw data and demanded a ransom of 0.03BTC from SamuelClay, the founder of NewsBlur, in the process of migrating a MongoDB cluster to a Docker container.
The problem of the same nature was reported to Docker as a “serious error” by developers as early as 2014, but it has not been solved. With more and more users using container technology to build business, container and container orchestration platform security vulnerabilities are also constantly dug out by hackers, container security has become a user using container technology to build business must be considered.
From the brief history of computing, each IT technology evolution brings not only efficiency improvements, but also new security challenges. Currently, we are in a period of rapid development of the third wave, with cloud and container technologies. Although the utilization rate of containers is getting higher and higher, the related safety construction is still in the backward stage. Container cloud based on cloud native scene, facing the urgent need of rapid development and deployment, the original boundary traditional security appears to be unable to meet the needs of great challenges.
Native is designed for the cloud and the container becomes the delivery standard
CloudNative is a combination of Cloud and Native. Cloud means an application is located in the Cloud, rather than in a traditional data center. Native means that the application considers the cloud environment from the beginning of the design, is designed for the cloud, runs on the cloud, and makes full use of the flexibility and distributed advantages of the cloud platform.
Matt Stine of Pivotal first proposed the concept of CloudNative in 2013; In 2015, when cloud native was first introduced, Matt Stine in his book Migrating to Cloud Native Architecture defined several characteristics that are compatible with cloud native architecture: 12 factors, micro-services, self-agile architecture, API-based collaboration, anti-vulnerability. In 2017, the cloud native architecture was summarized as modular, observable, deployable, testable, replaceable, and processable. In contrast, Pivotal’s latest website Outlines four key points of cloud nativism: DevOps+ Continuous Delivery + Microservices + Concontainers.
In 2015, the Cloud Native Computing Foundation (CNCF) was established. Initially, CNCF defined cloud native as: containerized encapsulation + automated management + microservice-oriented; In 2018, CNCF updated the cloud native definition to include Service Mesh and declarative APIs.
The rapid popularity of cloud native architecture has brought about technological innovations in enterprise infrastructure and application architecture. In the CNCF 2020 survey, 68% of organizations use containers in their manufacturing processes. The use of Kubernetes in production has grown to 82%. Containers have become the standard for cloud native application delivery, and Kubernetes has become an established container choreography tool in China.
Container security challenges in cloud native scenarios
Facing the urgent need of rapid development and deployment, the traditional security guarantee based on boundary is unable to meet the needs. While traditional security approaches focus on securing boundaries, more complex cloud-based native applications tend to identify attributes and metadata in dynamic workloads for protection in order to ensure application schema transitions. This approach allows workloads to be identified and secured to adapt to the scale and rapid change of cloud native applications. This pattern shift requires the use of security-oriented architectural design (such as zero trust) and a more automated approach to the application security life cycle. Moreover, security problems in the traditional field still exist in the cloud environment, such as vulnerability exploitation, virus Trojan horse, DDoS attack, data leakage, internal overreach and so on. In the cloud native architecture, multi-tenant, lightweight isolation, fast elastic scalability and other characteristics, also put forward new challenges to the traditional security.
Unsecure image: An image is a collection of operating system and application files necessary for an application/service to run. It is used to create one or more containers that are closely related to each other. The security of an image will affect container security. Depending on how an image is created and used, there are generally three factors that affect image security:
A, the base image is not safe: the image is usually created by the developer based on a base image, whether it is a malicious image uploaded by an attacker or a security defect of the existing image, the image created based on it will be unsafe.
B, the use of software containing vulnerabilities: developers often use software library code or software, if they have vulnerabilities or malicious code, once made into a mirror, will also affect the security of the container.
C. Mirror is tampered with: Container mirror may be tampered with during storage and use, such as being implanted with malicious programs and modified contents. Once a container is created using a maliciously tampered image, it will affect the security of the container and the application.
2. Container technology risks: Container isolation depends on features of Linux kernel Namespaces and cgroups. From the perspective of attackers, they can launch targeted escape and overpower attacks by taking advantage of kernel system vulnerabilities, container runtime components and container application deployment configuration. In recent years, K8S, Docker and other open source software have also exposed a lot of high-risk vulnerabilities, which provide opportunities for attackers.
3. East-west traffic protection: The traditional enterprise application security model usually divides the corresponding security boundaries based on the different trust domains of the internal architecture, and the east-west service interactions within the trust domains are considered safe. However, enterprise applications need to be deployed and interoperated on IDC and cloud after going to cloud. After physical security boundary disappears, how to build enterprise-level container security system under zero-trust network security model is an important issue that cloud service providers need to solve. Take the Docker environment as an example, which supports Bridge, Overlay, and MacVLAN networks, and although implemented in different ways, there is a common and common problem: If there is no effective isolation and control between containers, once an attacker controls a host or a container, he can use this as a springboard to attack other containers on the same host or different hosts, which is often referred to as “east-west attack”, and even a denial of service attack may be formed.
4. Access control: Due to the particularity of the cloud environment, the risk of data leakage under the cloud native architecture is far greater than that in the traditional environment. Therefore, it is necessary to make full use of the authentication and authorization system under the cloud native architecture, combine the application’s own permission control, and strictly follow the minimum permission rule to configure the access control of resources on the cloud and the permission of container applications. For example, avoid using privileged containers if you don’t have to.
Harmonious cloud container security solution
SEL Lab of Zhejiang University has carried out research on PaaS technology since 2011, and in 2015, as a representative of the university, founded CNCF together with Google as a founding member. Since its establishment, Xiyun, which originated from SEL Laboratory of Zhejiang University, has been committed to assisting enterprises to land cloud native technology. Based on more than 10 years of experience in the landing of cloud native project technology, it has proposed a container security solution in the era of cloud native technology. In order to better cope with the security challenges in the containerization process, XieYun believes that the container security of an enterprise should be protected dynamically and cover the whole life cycle of the container.
Infrastructure security: Containers are built on top of cloud platforms, and cloud platform security is the foundation of container security. Based on years of experience in container operation and maintenance and combined with the community, HarmonyCloud Technology has formed a complete set of optimal baseline configuration of container and host to guarantee the default security of service components.
Supply chain security: integrate DevSecOps concepts into the delivery process to move security to the left. In the mirror construction stage, mirror vulnerability scanning, virus Trojan scanning and Webshell detection are carried out. At the same time, mirror signature is performed to ensure the security of the image entering the mirror repository and that the image in distribution and deployment is not tampered with.
Runtime security: Add known attacks to the blacklist of container behavior and establish default protection rules. In the process of CI\CD, the container behavior baseline is formed through self-learning, and the production environment is protected to intercept the execution of system calls and executables outside the baseline.
Application security: Based on BPF technology and sidecars into two ways, to achieve the vessel network firewall, can detect and prevent threats such as XSS, SQL injection, combining AI application portrait at the same time, based on EBPF bypass snooping, automatic learning container access topology relationship, east-west flow visualization, to identify the network connection security risks, Provides a complete container network microisolation solution.
At the same time, harmonic cloud container security platform supports multi-cluster management scheme, control plane and probe agent fully containerized, maximize the use of container resources and elastic scalability characteristics.
Security is the primary key for enterprises to go to the cloud. In the future, Harmony Cloud will help users fully solve the security problems in the process of cloud native landing through more perfect technical means and product layout, accelerate the digital transformation of enterprises and embrace cloud native hand in hand.
