The transition into CWPP
Agility and flexibility were key directives in the development of new technology, which is why on-premise assets soon transitioned into virtual machines, which further transformed into compact and swift containers. Modern enterprise network environments are increasingly transforming to be cloud-based, where both applications and data storage are hosted in a cloud — and often multi-cloud — environment. The attack surfaces and security protection requirements of software in distributed cloud environments are vastly different from traditional network architectures where applications and data were hosted on enterprise-owned servers in on-premises data centers.
The container-based threat surface
Enterprises increasingly use container technology to build business-critical services, while hackers continuously probe for unauthorized access vulnerabilities in containers and container orchestration platforms. Leading analyst research firm Gartner breaks it down to three general categories of attacks and is further segmented into 11 specific attack surfaces and threat vectors. Attacks generally attack the following three stages:
1) Development — Coding and CI/CD (continuous integration, delivery, and deployment)
2) Deployment — Static security
3) Operation — Dynamic security
An effective container security solution must be designed to cover the three stages, as listed above. Additionally, it must provide capabilities including code security, image security, container engine and orchestration management platform security, container runtime security, network security, and application security.
The 11 specific attack surfaces and threat vectors are as follows:
1) Developer system: Cloud storage and various open-source-based tools are used, and these create new attack surfaces for compromise ranging from the developer’s endpoint to the locations and tools accessed to work on code.
2) Git-based code repository: Code is typically stored in Github where it can be maliciously modified if a developer’s account is compromised or hijacked.
3) Retrieval of dependencies: Outdated supply chain code or libraries from vendors may be contaminated, risking backdoor exploitation.
4) Image registry: The image warehouse — likely Docker Hub — may contain a Docker image (official or unofficial) that may include known CVE vulnerabilities due to tampering.
5) Unsecured orchestration plaptform: Any insecure default configurations or excessive developer privileges can introduce vulnerabilities in the orchestration platform, typically Kubernetes, that can be leveraged as attack vectors.
6) Host-container relationship: A container often shares the system kernel with its host machine. If the container’s permission privileges are set too permissive, it can allow malicious code to penetrate and obtain control of the host machine.
7) Rapid rate of change: Rapid deployment focuses on the latest image, while older versions are disregarded but not deleted. As the development environment iterates rapidly, older versions of code or tools still exist in the repositories and may create risks.
8) Microservice communication and network segmentation: The container east-west network layer is generally invisible and spreads across many different IP addresses. Hence, communication between containers poses a significant threat.
9) Inter-process communication (IPC) used for micro-service messaging: Micro-service platforms generally use a messaging mechanism; the confidentiality and integrity of these messages pose a considerable attack surface.
10) Increased number of databases: To facilitate loosely-coupled operation between containers, various services may use their own private database resources, increasing the attack surface.
11) Application layer attacks: Many container applications provide web services and are subject to application-layer attacks.
CWPP secures the new threat surface
A CWPP solution leverages cloud-native technology and architecture to achieve an agile deployment strategy that is highly reliable. By possessing low computational resource requirements, and being compatible with various CNI modes, a CWPP solution achieves augmented efficiency. Outstanding CWPP solutions often possess a comprehensive graphical interface that is easily managed. It can also clearly display relationships between assets and the network traffic flow through automated synchronization of existing assets. Finally, leading CWPP solutions can be deployed while minimizing business interference.
To learn more about CWPP, and how the new age of container technology can be secured, click here.