A red container with the doors swung wide open, the inside is empty - Cloud container vulnerability

Why Cloud Containers Are Vulnerable

5 minute read
David Roe avatar
Recent research suggests that the number of vulnerabilities in cloud containers is increasing, creating security headaches for enterprises.

Every few months or so some cybersecurity vendor publishes new research on vulnerabilities and exploits. It might be easy to dismiss such reports as being alarmist headlines intended to drive the security business, but you can never be too careful. The recent report from Skybox Security outlines the vulnerabilities and exploits in play over the first half of 2019 in a measured presentation that avoids overstating threats. The report reveals a number of trends that enterprises need to pay attention to, not least of which is the rapid growth of vulnerabilities in cloud containers.

Container Vulnerabilities

The report (registration required) reads: "As use of various cloud services has grown, so too have their vulnerabilities. Vulnerabilities in container software have increased by 46% in the first half of 2019 compared to the same period in 2018. Looking at the two-year trend of container vulnerabilities published in first halves, container vulnerabilities have increased by 240%."

Cloud containers are lightweight and more portable than virtual machines (VMs), they can replace traditional VMs in many cloud computing deployments because of their speed and simplicity. The problem is that ease of deployment can lead to security headaches.

That said, it should also be noted that of the more than 7,000 vulnerabilities published in the first half of 2019, a small fraction will never have an exploit, with less than 1% exploited in the wild. However, any rise in vulnerabilities means a rise in attacks leaving more enterprises at risk.

The problem is the containers themselves, according to Kris Lahiri, CSO and co-founder of Egnyte. Containerization has made it possible for developers to produce artifacts that can be developed, tested and deployed as a single unit. Additionally, the pace of pushing changes to production has increased from weeks to hours. Therefore, developers must employ security best practices from the get-go, rather than relying on security teams to scan every version.

Containerized applications rely on a large number of supporting services that store containers (registries), orchestrate container lifecycles, monitor their execution and direct traffic in and out of the containers. Furthermore, containerized applications and micro-services go hand-in-hand, which increases the number of components and interactions for an application. All of which means there are a number of separate parts that need to be secured and it also means there's a larger number of potential attack targets.

“We need to follow time-tested ways to harden the application layer itself in order to protect against attacks such as SQL injection and XSS. For containers specifically, focus should be on reducing the attack surface and frequently updating core components to leverage latest fixes,” he said.

Related Article: Containers vs Serverless Computing: A Competition or Natural Progression?

The Need for Container Management

That said, the cloud can be just as secure as a traditional environment as long as security is given the same kind of attention, according to Scott Russ, security architect at digital consultancy Nerdery. It can actually be more secure than a traditional environment if you embrace the mind shift towards automation and immutable infrastructure that the cloud enables.

He pointed out that when it comes to containers, the recent increase in vulnerabilities is directly tied to a lack of security hygiene. The ease with which developers can deploy identical containers across environments means that container adoption will continue to grow and, as a result, your attack surface will grow if vulnerabilities aren't aggressively managed. “A container management process that includes frequent scanning — both pre- and post-image build and launch — orchestration engine patching and base/parent image standards will go a long way towards ensuring that only safe containers are being deployed,” he said. He added that if you must use security tooling, ensure it natively understands containers and orchestration — it should be deployable and effective using a sidecar pattern.

Learning Opportunities

The Cloud Is Secure

This does not make the cloud any less secure than any other digital technology. It doesn't matter where your applications or data are physically located. Cyberattacks are a crime of opportunity, said Steve Tcherchian, chief product officer at XYPRO. A key point, he said, is that just because you’re moving your application to the cloud doesn't mean shifting your cybersecurity responsibility to cloud providers like Amazon, Microsoft or Google.

The same strategy, controls and monitoring applied to on-premises environments needs to be deployed to any cloud infrastructure to ensure everything is properly secured, it is still the responsibility of the enterprise to ensure security best practices are followed.

By making enterprise adoption easier, cloud providers can improve confidence in the cloud transformation journey. “There are tools and services available to help ensure applications are deployed securely and properly protected — although this industry is still very much in its early stages and constantly evolving and maturing. Consumers must be very diligent with their data, even in the cloud,” he said.

Related Article: Container Security Woes Push Evolution in 2 Directions

No Turning Back, Cloud Is the Future

Cloud computing is the way of the future and there is no going back. Cloud computing is on the rise not only because of flexibility, but because of scalability and portability, said Christian Nyakanyanga, CEO of Cyber Sentinel.

The cybersecurity challenges being faced by the world are continuously growing with data breaches occurring even more frequently. The question is not whether you should trust cloud computing but rather how can you improve the security of cloud containers. “Cloud containers aren’t unique, they deserve the same rigor that is applied to all other aspects of cybersecurity. Your organization cannot win at cloud if it is failing at cybersecurity, but it can win at cloud by default if it's winning at cybersecurity,” he said.

It is the role of the IT teams all the way from the chief information security officer (CISO) to implement the right strategy, tools and culture to enhance the security of cloud containers and reduce the risk of data breaches.