What is container runtime security?

Container runtime security definition

Container runtime security comprises the methods and technologies implemented to secure containerized workloads in real time. This aspect of container security involves protecting containers, container images, and hosts from malicious or anomalous behavior.

Container orchestration platforms, such as Docker and Kubernetes enable the streamlined deployment and management of scalable cloud applications. However, they must be implemented and maintained with cloud-native security technologies and best practices that fully address the unique security challenges they present.

Common runtime threats that containers face include configuration drift, misconfigurations, image vulnerabilities, poor secrets management, privilege escalation, and kernel exploits.

Additionally, containers are black boxes by design, which makes it difficult to understand what is happening inside and are typically short-lived enough that static scanning could miss threats like zero-day vulnerability exploits.

While containers provide some level of isolation from their host, they are not to the levels of virtual machines (VMs) or dedicated servers. Because containers use the host’s kernel, if attackers escape the container, they could potentially gain access to other containers or the host.

Runtime security provides granular visibility into activity so you discover attacks as they happen during execution and not later. Some container runtime security tools provide drift control to discover binaries not present in the container image. Runtime security is designed to be both proactive as well as reactive in finding container threats.

Why container runtime security is important

Static scanning for vulnerabilities and misconfigurations is still necessary for a strong security posture, but won’t discover unknown threats or attacks that execute while the container is running. Some attacks specifically only exploit running processes.

Container runtime security is important to identify and mitigate those attacks while the process is running, especially as containers are ephemeral workloads that spin up and down as needs dictate. Runtime security provides continuous threat detection and response as part of holistic container security.

Containerization is the technology that runs code in 'containers'. This is a lightweight alternative to full machine virtualization, in which an application and all of its dependencies and configuration run in an isolated environment that shares the host operating system's kernel and resources. This allows for consistent deployment of your code, without the overheads of emulating a full computer.

Because containers are lightweight and can start quickly, they are ideal for horizontally scaling applications in cloud environments. Docker is the most popular containerization platform for cloud workloads, and is often paired with Kubernetes to orchestrate microservice-based applications that run in independently scaling container clusters.

Scalable cloud architectures based on deploying code in containers present several primary security challenges:

• Malicious code and malware: While scanning code and dependencies and verifying images before deployment can detect known vulnerabilities, it does not protect against as-yet undiscovered exploits.
• Insecure default configurations and misconfiguration: Many default configurations are written to get up and running quickly, rather than providing security out-of-the-box. Misconfigurations that allow applications to function but leave them vulnerable can also be difficult to detect in complex deployments, and configuration drift that leads to creating an insecure environment can happen slowly over time as a result of quick fixes and unapproved changes.
• Exploits that compromise container isolation: Container escapes occur when attackers are able to escape the isolation of the current container and access the resources of the host, and gain the ability to move laterally through your network.
• Exposure of secrets: Sensitive information such as API keys and user credentials are too often committed to source control so that they are available to all containers when scaling horizontally, which risks public exposure. Secrets provided to containers through environmental variables can be prone to leaking through error messages and logs if not properly configured.
• Poor visibility over ephemeral containers: Visibility and accountability over fluctuating and constantly moving resources can be difficult, and logs stored in containers disappear when the container is deprovisioned, potentially erasing evidence of a cyberattack.

Benefits of container runtime security

To mitigate or eliminate the issues described above you must implement container runtime security platforms that include targeted measures for the specific challenges of scaling container and cloud deployments:

• Runtime monitoring for suspicious behavior: Runtime security helps you identify attacks in progress, whether the attack vector is documented or not, based on behavioral analysis. This is done by monitoring the activity of currently running processes, and can be enhanced by using machine learning and log analysis to build a full picture of the activities of running processes.
• Configuration monitoring: Configuration changes should be approved through a central interface by team members who understand the broader impact each change will have. If central approval is disruptive to workflows, alerts should be sent when changes are made.
• Centralized secrets management and security contexts: Secrets management through a secure, centralized platform such as HashiCorp Vault can be enhanced with security solutions that actively monitor for potential breaches that could lead to secrets exposure.
• Centralized logging for automated detection and response: Scalable deployments of microservices-based applications can result in potentially thousands of running containers. These can only be effectively monitored by combining orchestration tools like Kubernetes with cloud security solutions that implement security information and event management (SIEM) to centralize logs to be scanned for anomalous behavior.

How does container runtime security work?

Container runtime security works by monitoring the container’s behavior and identifying suspicious or anomalous activity. This could be unusual system calls, unknown binary execution, privilege escalation, namespace modifications, and container deletions.

If the container runtime security solution identifies suspicious activity like the above, then it will perform an action. For example, the popular open source threat detection tool Falco will send alerts to your security team if anomalous syscalls occur in the Linux kernel.

Other container runtime security tools might react to suspicious activity by following a security policy to isolate or shut down a container. Falco Talon enables actions such as terminating the container or pod should an attempt to alter a container occur.

Container runtime security is provided by other tools such as Sysdig Secure and SE Linux. Cloud-native application protection (CNAPP) unifies container runtime protection with other cloud protection technologies for increased coverage.

Docker and Kubernetes runtime security

Orchestration also plays a role in container runtime protection. Kubernetes is the most popular orchestration tool for scalable Docker deployments, and while it provides numerous benefits (such as automation, high availability, and facilitating updates and rollbacks), it broadens your potential attack surface through misconfiguration or mismanaged privileges.

Docker runtime protection must extend from the running containers themselves to the Kubernetes platform used to orchestrate them to ensure full coverage of all containers and clusters against potential exploits.

Container runtime security best practices

In addition to integrating technologies that recognize the importance of container runtime security and the additional attack surface area of orchestration tools, your development and Ops teams should implement the following container security best practices.

• Identify and mitigate risks: Vulnerability management plays a key role in cloud security and helps you identify risks that exist in your container registries.
• Integrate CI/CD pipelines: CI/CD integration with container security platforms can check for vulnerabilities during the build process.
• Use vaults for secrets management: By integrating centralized credentials management with your security platform, you can ensure that secrets are not exposed. HashiCorp Vault is an industry-standard secrets management system that removes the need for committing API keys and credentials to source control or leaving them potentially exposed in environmental variables.
• Implement access control: Role-based access control (RBAC) and the principle of least privilege (PoLP) ensure that users and services only have access to the information they require to perform their specific tasks. This can reduce the amount of useful data exposed in the event that a breach does occur.
• Improve security by not using root during runtime: Minimize your attack surface by not allowing containers root access while running. Instead, only use root during build and switch back to non-root for runtime to reduce risk of privilege escalation and prevent malicious activity in the container from escaping to compromise hosts.
• Isolate and segment with security policies: Network segmentation and access restrictions in conjunction with RBAC restrict the ability of attackers to move laterally through your network.
• Use immutable containers: Keep attacks limited by making it so containers cannot be modified after deployment, aside from the directories needed to keep containers functioning correctly.

One of the primary concerns when deploying applications in containers is the regularity that images (and the dependencies baked into them) are updated. Applications that are vetted as secure at the time they are deployed and continue nominally working are often left to run as-is, meaning that newly discovered vulnerabilities are not patched.

While active monitoring of deployed applications ensures that suspicious behavior, compliance issues, and configuration drift can be identified and investigated by SecOps teams, developers' responsibility for security of code does not end at deployment. Ongoing dependency monitoring through platforms like Snyk means that developers can keep dependencies up-to-date and code patched against known public vulnerabilities.

Protect your cloud workloads with Sysdig

Deploying containerized applications is not a 'fire and forget' process: your applications serve an ongoing purpose to your users, and must remain available and secure throughout their lifetime.

Container runtime security is only a part of protecting your cloud IT infrastructure. Native cloud security products that include tools for container security provide robust protection that eliminates the visibility gaps that occur when trying to combine traditional security products that were not designed for cloud environments.

Sysdig CNAPP provides a unified solution that covers all of your cloud assets; protecting your valuable data, ensuring compliance, and helping you to ensure that your containerized applications cannot be exploited.

Get enhanced container security with Sydig runtime insights. Get actionable context around suspicious behavior during runtime so your security teams understand security risks and how to respond.