Container adoption is growing fast – often faster than security can keep up. Container orchestration can help close the gap, but the way many companies are using it actually creates new security risks.
Those risks include using outdated tools, failing to revoke outdated access permissions, and overprovisioning users, says Rory McCune, cloud native security advocate for Aqua Security. You can watch McCune give a rundown of how container orchestration works and its security risks in our OnDemand Session “Container Orchestration is Here, What Does it Mean for Security?”
One company that uses containers to deploy software is Thoughtworks, a global technology consultancy. Containers enable deployment at a rapid pace across hundreds of cloud accounts, and the company relies on automation to configure the containers. However, there’s a gap in functionality that can lead to dangerous network vulnerabilities. “The cloud technologies help teams move faster,” says Felix Hammerl, enterprise security architect at Thoughtworks. “But since there is no centralized operations or admin team, you lose that oversight.”
Thoughtworks turned to Aqua’s SaaS Solution to Manage Container Vulnerabilities and Secure Cloud Accounts with Thoughtworks to bridge the gap. By using the product, they get a centralized platform that provides up to date functionality, monitors for vulnerabilities, and ensures proper security configurations.
Thoughtworks isn’t the only company that’s having this problem. As you read this, there’s a hacker somewhere in Russia or North Korea trying to poke holes in your container defenses. According to the recent Red Hat State of Kubernetes security report, in a survey of 500 DevOps, engineering, and security professionals, 94% experienced at least one security incident in their Kubernetes environments in the last 12 months. What’s more, 55% of respondents delayed an application rollout because of security concerns.
Thoughtworks was looking for a solution to catch everything that falls through the cracks, prevent things from falling further behind, and do it all without requiring a large analyst team. “I want the engineering team to just be able to step away and then everything should still work… I don’t want to have to look at everything every day and be worried that I might have missed something,” says Hammerl.
Staying up to date
Thoughtworks needed a way to manage security debt that leaves containers and serverless functions vulnerable. “Security debt accumulates over time and it’s surprisingly hard to have a structured approach to that,” says Hammerl. The Kubernetes support lifecycle is short, generally only 12 to 18 months, so your company could easily be running an outdated version that’s vulnerable to attack, says McCune. A recent report from Unit 42 said 96% of third-party container applications contained known vulnerabilities. Known vulnerabilities give hackers easy access to infrastructure, and it’s the first thing they look for when they target a company.
A lot of cloud accounts equal a lot of different configurations, and Aqua CSPM lets us see a clear list of things we should not do and alerts us if someone does one of those things.”
Felix Hammerl, Enterprise Security Architect at Thoughtworks
Misconfigurations and outdated access permissions
With Kubernetes, it’s easy to give a client access, but there’s often no easy way to revoke their access, and old accounts have high risks of having their credentials leaked on the web, according to McCune. If hackers get their hands on them, the employee who has those credentials might not notice that their account has been compromised, particularly if they’ve left the company but still have access.
Compounding this issue is the fact that companies often err on the side of giving too many permissions to employees. “No one should be running as cluster-admin but it’s pretty common,” says McCune. Similarly, hackers can sometimes access cloud accounts if the security settings aren’t configured correctly. Thoughtworks, for example, has hundreds of cloud accounts and needs to ensure the right people have access. “A lot of cloud accounts equal a lot of different configurations and Aqua CSPM lets us see a clear list of things we should not do and alerts us if someone does one of those things,” says Hammerl.
Final Thoughts
Container orchestration is quickly being adopted throughout the cloud industry due to the significant operational and financial benefits it provides. However, as these types of systems proliferate, hackers will be on the lookout for the vulnerabilities created by container arrangements. Don’t let your company fall victim to a cyber attack — understand how to safeguard your container applications, or find experts that can.
To stay at the cutting edge of cybersecurity, you need to be part of the conversation. Register today for our upcoming Spotlight On Cybersecurity on April 6th to hear from our esteemed panel of industry experts.
Photo by Christina @ wocintechchat.com on Unsplash
