Container Orchestration is Here. What Does it Mean for Security?

Container adoption is growing fast – often faster than security can keep up. Container orchestration can help close the gap, but the way many companies are using it actually creates new security risks.

Those risks include using outdated tools, failing to revoke outdated access permissions, and overprovisioning users, says Rory McCune, cloud native security advocate for Aqua Security. You can watch McCune give a rundown of how container orchestration works and its security risks in our OnDemand Session “Container Orchestration is Here, What Does it Mean for Security?”

One company that uses containers to deploy software is Thoughtworks, a global technology consultancy. Containers enable deployment at a rapid pace across hundreds of cloud accounts, and the company relies on automation to configure the containers. However, there’s a gap in functionality that can lead to dangerous network vulnerabilities. “The cloud technologies help teams move faster,” says Felix Hammerl, enterprise security architect at Thoughtworks. “But since there is no centralized operations or admin team, you lose that oversight.”

Thoughtworks turned to Aqua’s SaaS Solution to Manage Container Vulnerabilities and Secure Cloud Accounts with Thoughtworks to bridge the gap. By using the product, they get a centralized platform that provides up to date functionality, monitors for vulnerabilities, and ensures proper security configurations.

Thoughtworks isn’t the only company that’s having this problem. As you read this, there’s a hacker somewhere in Russia or North Korea trying to poke holes in your container defenses. According to the recent Red Hat State of Kubernetes security report, in a survey of 500 DevOps, engineering, and security professionals, 94% experienced at least one security incident in their Kubernetes environments in the last 12 months. What’s more, 55% of respondents delayed an application rollout because of security concerns. 

Thoughtworks was looking for a solution to catch everything that falls through the cracks, prevent things from falling further behind, and do it all without requiring a large analyst team. “I want the engineering team to just be able to step away and then everything should still work… I don’t want to have to look at everything every day and be worried that I might have missed something,” says Hammerl.

Staying up to date

Thoughtworks needed a way to manage security debt that leaves containers and serverless functions vulnerable. “Security debt accumulates over time and it’s surprisingly hard to have a structured approach to that,” says Hammerl. The Kubernetes support lifecycle is short, generally only 12 to 18 months, so your company could easily be running an outdated version that’s vulnerable to attack, says McCune. A recent report from Unit 42 said 96% of third-party container applications contained known vulnerabilities. Known vulnerabilities give hackers easy access to infrastructure, and it’s the first thing they look for when they target a company.

A lot of cloud accounts equal a lot of different configurations, and Aqua CSPM lets us see a clear list of things we should not do and alerts us if someone does one of those things.”

Felix Hammerl, Enterprise Security Architect at Thoughtworks

Misconfigurations and outdated access permissions

With Kubernetes, it’s easy to give a client access, but there’s often no easy way to revoke their access, and old accounts have high risks of having their credentials leaked on the web, according to McCune. If hackers get their hands on them, the employee who has those credentials might not notice that their account has been compromised, particularly if they’ve left the company but still have access.

Compounding this issue is the fact that companies often err on the side of giving too many permissions to employees. “No one should be running as cluster-admin but it’s pretty common,” says McCune. Similarly, hackers can sometimes access cloud accounts if the security settings aren’t configured correctly. Thoughtworks, for example, has hundreds of cloud accounts and needs to ensure the right people have access. “A lot of cloud accounts equal a lot of different configurations and Aqua CSPM lets us see a clear list of things we should not do and alerts us if someone does one of those things,” says Hammerl.

Final Thoughts

Container orchestration is quickly being adopted throughout the cloud industry due to the significant operational and financial benefits it provides. However, as these types of systems proliferate, hackers will be on the lookout for the vulnerabilities created by container arrangements. Don’t let your company fall victim to a cyber attack — understand how to safeguard your container applications, or find experts that can.

To stay at the cutting edge of cybersecurity, you need to be part of the conversation. Register today for our upcoming Spotlight On Cybersecurity on April 6th to hear from our esteemed panel of industry experts.

Photo by Christina @ wocintechchat.com on Unsplash

Privacy Notice

This privacy notice discloses the privacy practices for (www.ascentconf.com). This privacy notice applies solely to information collected by this website. It will notify you of the following:

  • What personally identifiable information is collected from you through the website, how it is used and with whom it may be shared.
  • What choices are available to you regarding the use of your data.
  • The security procedures in place to protect the misuse of your information.
  • How you can correct any inaccuracies in the information.

Information Collection, Use, and Sharing

We are the sole owners of the information collected on this site. We only have access to/collect information that you voluntarily give us via email or other direct contact from you. We will not sell or rent this information to anyone.

We will use your information to respond to you, regarding the reason you contacted us. We will not share your information with any third party outside of our organization, other than as necessary to fulfill your request, e.g. to ship an order.

Unless you ask us not to, we may contact you via email in the future to tell you about specials, new products or services, or changes to this privacy policy.

Your Access to and Control Over Information

You may opt out of any future contacts from us at any time. You can do the following at any time by contacting us via the email address or phone number given on our website:

  • See what data we have about you, if any.
  • Change/correct any data we have about you.
  • Have us delete any data we have about you.
  • Express any concern you have about our use of your data.

Security

We take precautions to protect your information. When you submit sensitive information via the website, your information is protected both online and offline.

Wherever we collect sensitive information (such as credit card data), that information is encrypted and transmitted to us in a secure way. You can verify this by looking for a lock icon in the address bar and looking for “https” at the beginning of the address of the Web page.

While we use encryption to protect sensitive information transmitted online, we also protect your information offline. Only employees who need the information to perform a specific job (for example, billing or customer service) are granted access to personally identifiable information. The computers/servers in which we store personally identifiable information are kept in a secure environment.

If you feel that we are not abiding by this privacy policy, you should contact us immediately via telephone at 202-256-9707 or [email protected].