As more organizations have shifted to a cloud-native deployment method and system architecture, containers and other cloud technologies have taken on new importance, as well as new security concerns. This blog post will take a deep dive into the challenges and best practices around container security, as well as provide tips for how to ensure cloud-native technologies like containers remain secure.

Containers as a Security Risk 

Containers are lightweight, executable units that combine an application and its dependencies for increased agility and scalability to simplify consistent deployment regardless of computing environment. Development teams leverage containers extensively in building cloud-native applications. In doing so, they can ensure that software works the same regardless of where it’s ultimately deployed. 

That advantage has helped skyrocket container use. According to Gartner estimates, around 80% of software running at the physical edge will be in containers by 2028. 

The global container market was valued at $4.65 billion in 2023, and every major cloud provider offers the ability to deploy container workloads.

This growth in usage over time hasn’t only made containers more popular, it has also made them more of a target. Although containers isolate applications, they don’t provide full isolation due to shared kernel access, which makes kernel vulnerabilities especially significant.

Runtime and Container Scanning with Upwind

Upwind offers runtime-powered container scanning features so you get real-time threat detection, contextualized analysis, remediation, and root cause analysis that’s 10X faster than traditional methods.

The shared environment exposes containers to potential compromise, underscoring the importance of securing both containerized applications and their underlying host systems as part of a larger attack surface.

Containerized application in a shared environment. With vulnerabilities monitored in real time
A containerized application in a shared environment. With vulnerabilities monitored in real time, security tools can help flag vulnerabilities or risk levels related to container isolation or kernel access.

Container Orchestration Platforms to Secure 

When developing a container security program, it’s essential to start with container orchestration platforms, which manage the deployment, scaling, and operational control over containers across complex environments. Orchestration platforms coordinate how containers operate together, often across multiple servers or clusters, providing the structure needed for large-scale container applications.

Orchestration platforms add critical layers of visibility and control, enabling developers and DevOps teams to monitor and manage container lifecycles efficiently. Most organizations using containers rely on orchestration platforms as a core component of their container ecosystem. 

Examples include:

Kubernetes

Kubernetes is the most widely adopted container orchestration platform, providing a comprehensive framework for managing containers at scale. Kubernetes’ key security features include:

  • Role-based access control (RBAC) for managing permissions
  • Network policies to control container communication
  • Secrets management to securely store sensitive data

Despite these built-in tools, securing Kubernetes requires configuring the control plane, API access points, and node configurations to reduce risks like privilege escalation or unauthorized access. 

Given the complexity of large-scale deployments, tools like Kubernetes Security Posture Management (KPSM) are critical to automating and enforcing security policies. Kubernetes’ risks often stem from misconfigured permissions or network policies that expose sensitive parts of the infrastructure to unauthorized access, so regular audits and strict access policies are essential.

Amazon ECS/Fargate

Amazon’s managed orchestration service, ECS provides orchestration within the AWS ecosystem, while Fargate offers a serverless option that abstracts the infrastructure layer, simplifying container management and scaling.

With Fargate, AWS abstracts the underlying infrastructure, reducing the need for users to manage nodes and their security. Minimizing the direct configuration of servers means focusing more on container-level security. However, Fargate’s “serverless” model can also shift certain security responsibilities to the user, particularly in areas like image management and runtime security.

This platform is tightly integrated with AWS identity and access management (IAM). It also integrates with AWS security groups and Virtual Private Cloud (VPC) settings for network isolation, but network control granularity is limited compared to Kubernetes network policies.

To strengthen Fargate’s security, tools for runtime security and dedicated image scanning help address these container-specific needs.

Google Kubernetes Engine (GKE) and Microsoft Azure Kubernetes Service (AKS)

These managed services automate infrastructure management for Kubernetes clusters, focusing on easy deployment, scaling, and monitoring within Google Cloud and Microsoft Azure, respectively. Both GKE and AKS also provide advanced security integrations specific to their platforms, offering tools for threat detection and workload protection. 

GKE integrates with Google Cloud IAM, Cloud Armor, and Google’s binary authorization, while AKS integrates with Azure AD, Azure Policy, and Azure Security Center for identity management and compliance controls. Both support Kubernetes-native network policies, allowing for granular network segmentation and isolation between pods.

For additional security, third-party solutions can be incorporated to enhance runtime protection and compliance monitoring in these managed environments.

Red Hat OpenShift

This Kubernetes-based platform is designed to manage containerized applications at scale. Built on open-source technology but with commercial security tools, OpenShift enhances Kubernetes with features that streamline deployment, scaling, and management across hybrid and multi-cloud environments. 

OpenShift includes advanced, enterprise-grade security features such as integrated image scanning, compliance tools, and customizable network policies beyond standard Kubernetes. The platform also supports service meshes, such as Istio, to secure microservices communication pathways, adding an extra layer of security for inter-service communication.

OpenShift’s focus on compliance and enhanced network segmentation makes it especially suited for highly-regulated industries. However, it still can’t offer comprehensive security for cloud infrastructure, applications, and identities beyond the capacity of a container orchestration platform.

Here’s a summary of key differences:

PlatformSecurity HighlightsControl LevelAutomatic UpdatesIdeal Use Case
Amazon ECS/FargateAbstracted infrastructure with AWS IAM and VPC security; limited network policiesLowYesSimple, serverless environments
GKE & AKSKubernetes-based with cloud-native security integrations (IAM, policy management, network segmentation)ModeratePartial (control plane)Managed Kubernetes deployments
Red Hat OpenShiftEnterprise-ready security with compliance, image scanning, customizable network policies, supports multi- and hybrid cloud setupsHighNoHybrid, multi-cloud enterprises
Kubernetes Full control, customizable RBAC and network policies, secrets management, manual updates and maintenanceHighNo Advanced, self-managed clusters

Containerization Tools to Secure

In addition to container orchestration platforms, container tools come with different security profiles. Containerization tools, like Docker, provide a lightweight way to package applications with their dependencies, allowing consistent and isolated runtime environments across various platforms. Docker has become the most popular tool for containerization, but there are other tools and add-ons that support or enhance containerized workloads and have their own implications for container security.

Docker

Docker, the most popular containerization platform, focuses on container creation and runtime management, but its ubiquity makes it a prime target for attacks. Recent CVEs (Common Vulnerabilities and Exposures) identified in 2024 highlight the possibility of unauthorized access or exploitation. It includes security capabilities such as: 

  • Image security, enabling users to pull images from Docker Hub, including official, verified images and user-generated images. However, Docker images are often built from community-based repositories, which may lack rigorous security procedures or standards during development. Tools like “Docker Bench for Security” or integration with external scanning solutions can help address these risks.
  • Runtime isolation to provide a layer of protection between containerized applications and their host system.
  • Resource control to limit CPU and memory usage, preventing containers from over-consuming host resources.

With Docker, common security risks come from vulnerable images or inadequate isolation, which could allow malicious code to escape a container or compromise the host. Many users turn to related tools designed to enhance Docker, like Docker Compose for multi-container orchestration. They might also make use of Docker Swarm for simpler though less feature-rich orchestration and clustering compared to Kubernetes, or Containerd, a standalone container runtime that focuses on the runtime component, offering improved security by reducing dependencies and avoiding the need for the full Docker suite. 

With or without these add-ons, teams who use Docker will need to follow these rules for security:

  1. Use Official and Trusted Images: Download images from trusted sources to minimize risks.
  2. Conduct regular vulnerability scanning: Integrate tools to scan for vulnerabilities in images before deployment.
  3. Limit container privileges: Run containers with the least privilege necessary, avoiding root access whenever possible.
  4. Isolate sensitive applications: Use tools to isolate sensitive applications and manage permissions between containers.
  5. Set resource limits: Control CPU and memory allocation to prevent resource hogging and reduce risks from resource-based denial-of-service (DoS) attacks.

Docker and related container tools form the core of containerized application environments. They offer flexibility and consistency. However, adding additional security tools around Docker itself can overwhelm teams, complicate workflows, and reduce Docker’s efficiency within a broader container or security strategy.

Modern Challenges in Container Security 

Containers have become extraordinarily popular among developers and DevOps engineers because of their ease of use and ability to function as discrete units in deployment. Although they have some innate security posture because of their functioning as self-contained units, their use has led to new security challenges.

These include: 

ChallengeExplanation
Vulnerabilities in container imagesKnown vulnerabilities can expose infrastructure to potential attacks. Container images need to be scanned and updated regularly. 
Runtime misconfigurationsMisconfiguring runtimes can result in the isolation between containers failing, leading to unauthorized access and lateral movement. Misconfigurations can also come from settings like unrestrained network access or default security policies, which may allow lateral movement between containers. Ensure container runtimes are configured properly to limit this risk. 
Weak/outdated container dependenciesThe libraries and frameworks used in containers may be outdated or contain known vulnerabilities. Scan libraries regularly to identify issues.
Exposed APIs Container APIs left insecurely exposed allow unauthorized access and potential exploitation. Update APIs and secure interfaces to prevent exposure. Using API gateways and security frameworks like OpenAPI can add additional protection layers to containerized APIs, helping secure them against unauthorized access.
Unsecure access controls Weak access controls can result in infiltration from threat actors or enable insiders to compromise container architecture. Implementing least privileged access minimizes the risk. 
Kernel vulnerabilities and exploitsContainer breakouts can happen because of weaknesses in the host system. Keep the container host system patched to prevent breakouts. Using a minimal OS or a hardened kernel distribution can further reduce attack vectors, especially in containers that share kernel space.
Untrusted registries Unreliable registries for containers can result in the propagation of malware. Use trusted, known registries and stay up to date on any changes. Private container registries can enforce stricter security policies, such as only allowing verified container images, to further reduce the risk of malware.
Insufficient visibility into container activityFailing to monitor activity within containers can complicate tracking security incidents. Institute a comprehensive monitoring solution for clarity into incidents and remediation steps.

What are Container Security Best Practices? 

Building on the security measures specific to Docker and orchestration platforms, container security best practices encompass broader strategies that enhance protection across the entire container lifecycle. These practices ensure not only the security of container images and orchestration platforms, but also address the critical runtime and network aspects necessary to maintain a resilient containerized environment.

Container security best practices emphasize ensuring the integrity and security of container images through vulnerability scanning and using trusted sources, and securing the orchestration systems like Kubernetes that manage container deployment and scaling.

Implementing Vulnerability and Malware Scanning 

Containers with vulnerabilities replicate risks at scale, so integrate automated scanning into CI/CD pipelines and establish thresholds for blocking high-risk images. Scanning images in each state (build, deploy, and runtime) captures different vulnerabilities. Consider focusing on high-impact, widely-used images to streamline remediation efforts and avoid scan fatigue — and don’t forget the importance of scanning at runtime.

Runtime scanning for vulnerabilities in containers
Runtime scanning ensures critical issues take precedence and can be remediated as soon as they occur.

Ensuring Container Image Provenance

Establish clear provenance for all images, including dependencies, through a software bill of materials (SBOM). This is critical for preventing unknown or malicious components from proliferating across containers. Integrating SBOM checks into development workflows prevents risky deployments and keeps issues from bleeding into shared infrastructure. An SBOM also eases compliance efforts, such as with NIST or SOC2, providing mutual benefits for security and regulatory alignment.

Integrated compliance checks for CVEs to aid container security
Integrated compliance checks help show CVEs and keeps vulnerabilities from creeping into shared infrastructure

Privileged Access Management

Enforce least-privilege access by default and apply strict access reviews to avoid privilege creep over time. Use runtime policies to lock down access and monitor for unexpected privilege escalation attempts, which indicate deeper security gaps. Container runtime security tools can also help detect unexpected privilege escalation or suspicious runtime activity.

Privileged access management visibility for human and non-human identities
Access management in context, with attached resources so teams can see privilege escalation attempts more easily and gauge their risk.

Thorough Production and Non-Production Scanning

Scan pre-production environments to catch errors early while using runtime scanning to inform future pre-production practices. Shifting to runtime scanning also benefits teams using observability tools, such as Prometheus, or those engaged in active monitoring, as runtime insights enhance visibility and responsiveness. 

Behavioral analysis can set a baseline for what workloads should look like, so it’s simpler to identify abnormal behavior and prioritize workloads most at risk.

Baselines for prioritizing workload anomalies in container security
Baselines are assessed using machine learning so teams can easily identify what’s abnormal for their workloads in a dynamic setting.

Attack Surface Management

Regularly audit and map internet-facing assets within container and orchestration setups. Segregate nonproduction and production assets, using network policies to shield critical workloads, and ensure that only necessary resources are exposed. This limits entry points for attackers and reduces open exposure.

Screenshot-2024-11-11-at-8.54.23 AM-1024x518
Guarding external exposures with runtime monitoring means prioritized, organized security to help reduce exposures.

Resource Consumption Management

Set upper limits for CPU, memory, and I/O resources per container. Enforcing these constraints presents resource exhaustion attacks that could harm the host or other containers. Use automated alerts for high-consumption spikes and optimize resources based on container needs, balancing availability and security.

Runtime and container monitoring for better container security
Active monitoring of workloads for greater container security

Upwind Secures Containers Against Attack 

Upwind enhances security teams’ ability to protect containerized and microservices architectures with industry-leading container and Kubernetes security capabilities:  

  • Comprehensive protection across environments: Upwind supports container and Kubernetes security whether you choose to utilize Amazon EKS & ECS, Google GKE, Microsoft AKS, or OpenShift. Consolidate security management across platforms for consistent policies, enforced consistently.
  • Enhanced visibility with DevOps context: Get a real-time, graph-based network and process-level topology of your container infrastructure. This topology helps trace threats and reduce noise by visualizing container interactions, making it easier to spot and address unusual behaviors. Correlate CI/CD events with container security to connect the dots and understand the root cause of changes and container events. Enable a partnership between developers, DevOps, and security to find and resolve issues across the lifecycle of the containerized application.
  • Timeline-based detections and event correlation: Detect and respond to container and Kubernetes threats in real time, such as abnormal data access, lateral movements, and privilege escalations. Kill malicious processes and automate prevention policies for k8s. Using machine learning-based anomaly detection at runtime improves response times and highlights unknown threats within containerized environments, helping to proactively identify risks. Leverage runtime data to contextualize risk factors, identify attack paths, and prioritize the most critical risks across your container infrastructure, applications, and identities to streamline remediation efforts.

To learn more about Upwind’s container security and get advice on best practices, schedule a demo