The author | quantico great tiger source | alibaba cloud native public number

Container security challenges in cloud native processes

In the general trend of cloud native, more and more enterprises choose to embrace cloud native. In the CNCF 2020 annual survey report, 83% of organizations have chosen Kubernetes in the production environment. Container has become the standard of application delivery. It is also the delivery unit of computing resources and supporting facilities in the cloud native era. Clearly, containers have become the standard for application delivery and the delivery unit for computing resources and supporting facilities in the cloud native era.

However, due to natural defects in isolation and safety, safety has always been one of the core concerns of enterprises in the process of container modification. What new container security challenges will enterprises face in the cloud native era?

  • Lack of systematic container security capacity building: Traditional enterprise application security models usually divide corresponding security boundaries based on different trust domains of internal architectures, in which east-west service interactions are considered to be secure. However, enterprise applications need to be deployed and interoperated on IDC and cloud. After the disappearance of physical security boundary, how to build enterprise-level container security system under zero-trust network security model is an important problem that cloud service providers need to solve.

  • More attack surface: Application deployment based on container technology relies on Linux kernel namespaces and Cgroups features. From the attacker’s perspective, kernel system vulnerabilities, container runtime components and container application deployment and configuration can be used to launch targeted escape and unauthorized attacks. K8s, Docker, Istio and other open source communities have also exposed a number of high-risk vulnerabilities in recent years, which provide opportunities for attackers.

  • Lack of application lifecycle security: Container technology not only provides flexibility, agility and dynamic extensibility for enterprise application architecture, but also changes application deployment mode. First, the life cycle of the application itself is greatly shortened. The life cycle of a container application is usually in minutes. Meanwhile, as the storage network and heterogeneous resource utilization improve, the deployment density of container applications increases. Traditional vM-oriented security protection policies and alarm monitoring methods cannot meet the requirements of container technology.

  • Lack of understanding of responsibility sharing model for security in the cloud: Security in the post-cloud of enterprise applications needs to follow the responsibility sharing model. In the transformation process of cloud native voice of enterprise application architecture, enterprise application managers and security operation and maintenance personnel need to understand the responsibility boundary between the enterprise itself and the cloud service provider. In this process, cloud service providers are required to export more comprehensive container security best practices to enterprise applications, improve the ease of use of security capabilities, and lower the threshold of use.

Basic principles for building a container security architecture

In order to cope with the security challenges of enterprise applications in the process of containerization, cloud service providers and enterprise application security management operation and maintenance personnel need to jointly build a container application security system:

Figure 1-ACK container service security responsibility sharing model

1. Cloud service supply side

For cloud service providers, a secure and stable container infrastructure platform should be built based on the security capability of the cloud platform itself, and corresponding security protection measures should be built for the whole life cycle of container applications from construction, deployment to operation time. The construction of the entire security system must comply with the following basic principles:

1) Ensure the default security of the container control platform infrastructure layer

The container platform infrastructure layer carries the management and control services of enterprise applications and is the key to ensure the normal operation of business applications. The security of container platform should be paid special attention to by cloud service providers.

  • Complete platform security capabilities: Firstly, the security of cloud service providers’ own infrastructure is the basis of container platform security. For example, the security configuration capability of VPC, access control capability of SLB, DDoS capability and access control capability of account system to cloud resources are all basic security capabilities that the platform side needs to provide to enterprise applications.

  • Version update and vulnerability emergency response mechanism: Virtual machine OS version updates and patches of installed capacity are also ensure the safety of the infrastructure of the basic protective measures, in addition to this, such as K8s container loopholes, the risk associated with the open source community can be malicious attacks of the attacker preferred path, need the manufacturer provides vulnerability classification response mechanism and provides the necessary ability of version upgrade.

  • Platform security compliance: This is also a hard prerequisite for cloud adoption by many financial enterprises and government departments. Cloud service providers must ensure the default security of service component configurations based on industry-wide security compliance standards, and provide a complete audit mechanism for platform users and security auditors.

2) Provide depth defense capability for container application side

Cloud service providers not only need to establish perfect security forces on their own management and control sides, but also need to provide security protection measures suitable for container applications in cloud native scenarios for business application loads, so as to help end users have corresponding security governance solutions at all stages of application life cycle. Because the cloud native has dynamic elastic infrastructure, distributed application architecture and innovative way of application delivery operations etc, which requires the cloud service providers can be combined with their own platform security capabilities, the basis of the cloud native capabilities can assign to the traditional security model, to construct a new security in the cloud native architecture.

2. Enterprise security

For enterprise security management and operation and maintenance personnel, it is necessary to understand the boundary of responsibility sharing model of security on the cloud and what security responsibilities the enterprise itself should undertake. In the cloud native microservice architecture, enterprise applications are deployed and interact on IDC and cloud. The traditional network security boundary no longer exists. The network security architecture on the enterprise application side needs to follow the zero-trust security model and reconstruct the trust foundation of access control based on authentication and authorization. For enterprise security management personnel, they can focus on the following directions to reinforce production security in the enterprise application life cycle:

  • Ensure the supply chain security of application products

The development of cloud native makes more and more large-scale container applications begin to be deployed in enterprise production environment, and also greatly enrich the diversity of cloud native application products, such as container image and Helm Charts are common product formats. For enterprises, the safety of product supply chain is the source of application production safety. On the one hand, it is necessary to ensure the safety of products in the application construction stage. On the other hand, it is necessary to establish corresponding access control, security scan, audit and access verification mechanism at the time of product warehousing, distribution and deployment to ensure the security of product source.

  • Follow the principle of minimizing permissions when configuring permissions and delivering credentials

Authentication and authorization based on unified identity system is the foundation of building access control capability under zero-trust security model. Enterprise security administrators need to configure access control policies for cloud resources and application resources on the container side based on the access control capabilities provided by cloud service providers and the permission account system of the enterprise. In addition, strictly control the distribution of resource access certificates, and revoke the issued certificates that may cause unauthorized attacks in a timely manner. Also, avoid container application template configuration with excessive permissions such as privileged containers to ensure that the attack surface is minimized.

  • Pay attention to application data and application run-time security

Successful deployment of an application online does not mean the end of security work. In addition to resource request auditing, security management o&M personnel also need to use the mechanisms provided by vendors to monitor alarms and event notification at runtime to ensure container application running security and timely detect security attacks and potential security risks. For enterprise application itself relies on the sensitive data (such as a database password, private key application certificate, etc.) need to be adopted according to the security level of application data corresponding to the key encryption mechanism, using the key management scheme on the cloud and disk encryption, secret calculation ability, to ensure data transmission and the data on the trading link security.

  • Fix security vulnerabilities and release updates in a timely manner

Whether virtual machine system, container mirror or the vulnerability of the container platform, are likely to be invaded by malicious attackers use be applied within the springboard, the enterprise safety management operations staff need according to the cloud service provider recommended guidelines for security vulnerabilities of repair and updated version (such as K8s cluster version, use the mirror version, etc.). In addition, enterprises should be responsible for the safety training of internal staff, be prepared for danger in times of peace, and enhance the awareness of safety protection is also the basic priority of enterprise safety production.

End-to-end cloud native container security architecture

Aliyun ACK container service is oriented to the vast number of enterprise customers, and has built a complete container security system, providing end-to-end application security capabilities. In this year’s Forrester IaaS security assessment, Alibaba cloud container tied with Google for full marks, leading other vendors. The following figure is the security architecture diagram of Ali Cloud container service:

Figure 2-ACK Container service Security architecture diagram

First of all, the whole container security system relies on ali Cloud’s strong platform security capabilities, including physical/hardware/virtualization and cloud product security capabilities, and builds a solid platform security base.

On top of the cloud platform security layer is the container infrastructure security layer, which carries the management and control capabilities of enterprise container applications. The default security of container infrastructure is an important basis for the stable operation of applications. First of all, the Ali Cloud operating system team has done a lot of security hardening related work for the OS image itself of cluster host node. Alibaba Cloud Linux 2 (the original Aliyun Linux 2) is not only the official operating system image of Ali Cloud, but also the preferred default system image of ACK. Alibaba Cloud Linux 2 has officially passed the full certification process of CIS organization and released the corresponding CIS Aliyun Linux 2 Benchmark Version 1.0.0 on August 16, 2019. ACK is supporting CIS security hardening for clusters based on Alibaba Cloud Linux operating system to meet the needs of simple, fast, stable and secure use. In addition to CIS compliance, IN January 2021, ACK officially supported equal-assurance hardening for clusters based on the Alibaba Cloud Linux operating system.

In terms of container management and control, Ali Cloud container service implements default security hardening on the configuration of container management and control components based on the baselines of industry security standards such as CIS Kubernetes, and at the same time follows the principle of permission minimization to converge the default permissions of system components and cluster nodes on the management and control plane to minimize the attack surface. In March, the CIS Kubernetes Benchmark for ACK submitted by Ali Cloud Container service officially passed the certification of CIS community organization and became the first cloud service provider in China to release the baseline of CIS Kubernetes international security standard.

Unified system of identification and access control strategy model is under zero trust security model to build the core of the security architecture, ACK control side and ali cloud RAM through account system, provides the model based on unified identity certificate and cluster access credentials system of automated operations, in the face of user credentials leak risk at the same time, innovation of the proposed scheme of user credential revoked, This helps enterprise security administrators revoke cluster access credentials that may be leaked to prevent unauthorized access attacks.

The ACK container service also provides platform-side security capabilities for key management, access control, and log auditing, which are key security elements in enterprise application interactive access links.

  • Access control: Based on the K8s RBAC policy model, ACK provides access control of application resources in the cluster. On the premise of ensuring the security of non-primary accounts or default permissions of the cluster creator, Cluster administrators can perform batch RBAC authorization for cluster and account dimensions by console or OpenAPI for specified sub-accounts or RAM roles. ACK provides four preset permission templates for common enterprise authorization scenarios, which further reduces the learning cost of RBAC and K8s resource models. The ACK cluster supports the token volume projection feature for the ServiceAccount, which is the cluster access certificate commonly relied on in the application container. The ACK cluster supports the binding of the SA token to the audience identity, and the setting of the expiration time. The access control capability of applications to apiserver on the management plane is further improved.

  • Key management: According to the requirements of enterprise customers for data security autonomy and compliance, ACK Pro cluster supports the falling disk encryption ability of K8s Secret and the cloud disk encryption ability of BYOK to ensure that the core data of enterprises can be safely on the cloud. Meanwhile, ACK cluster supports real-time synchronization of sensitive information hosted by users in ALI Cloud KMS credential manager to application cluster. Users can directly mount the designated Secret instance of credential synchronization in K8s application, which further avoids the hard coding problem of sensitive information to application.

  • Log audit: In addition to the K8s cluster audit and controlPlane component logs, ACK also supports the audit of Ingress traffic and abnormal event alarms based on the NPD plug-in. The above log audit capabilities are connected to the Alicloud SLS log service. The SLS service provides quick search, log analysis, and rich dashboard display capabilities, greatly reducing the difficulty of container application development, operation, and security audit.

Facing the security challenges of container application layer in supply chain and operation time, Ali Cloud provides comprehensive security capabilities from container application construction, deployment and operation to the full life cycle:

Figure 3-ACK Container service application lifecycle security capability

  • Application Construction Phase

According to Prevasio’s survey of 4 million container images hosted on Docker Hub, 51% of them have high-risk vulnerabilities. Another 6,432 images were found to contain malicious trojans or mining programs, which alone had been downloaded 300 million times.

How to deal with these security challenges in image products, on the one hand, enterprise application developers are required to use trusted basic images when building application images, standardize the image construction process, and ensure the minimization of images; On the other hand, Ali Cloud ACR container mirroring service provides basic capabilities such as access control of warehouse permissions, operation audit and image security scanning for security risks in the image construction process. The image security scan is a basic means for users to actively discover security vulnerabilities. ACR container image service and Ali Cloud Security Center provide different versions of image vulnerability databases, which can update vulnerability databases in real time while supporting in-depth image scanning to meet enterprise security compliance requirements. In ali Cloud container image service enterprise edition, we can also create and manage delivery chain instances, freely combine security scanning and distribution processes and build them into automated tasks, and automatically intercept images containing vulnerabilities to ensure the security of images distributed to the warehouse.

In the process of image construction, in addition to timely detection of image vulnerabilities, how to ensure that the image will not be maliciously tampered at the time of distribution and deployment is also an important means of security protection, which requires the integrity verification of the image. In the example of Ali Cloud container service Enterprise edition, the enterprise security manager can configure the check-in rule to automatically check and push the image in the warehouse with the specified KMS key.

  • Application Deployment Time

K8s’ native Admission mechanism provides a natural verification mechanism for application deployment.

Common application template configurations such as abusing privileged containers, mounting sensitive directories, and starting containers as root are likely springboards for container escape attacks. The K8s native PSP model constrains the security behavior of application containers at runtime by means of policy definition. The ACK container service provides cluster-oriented policy management, helps enterprise o&M personnel customize PSP policy instances based on different security requirements, and binds them to a specific ServiceAccount. One-click switch of PSP features eliminates complex configuration thresholds. In addition, the ACK container service also supports the installation and management of the GateKeeper component, so that users can customize security policies based on the OPA policy engine richer scenarios.

For the security verification requirements of application images at deployment time, Google took the lead in proposing Binary Authorization in 2018. At the beginning of last year, the ACK container service officially implemented the image signature and verification capabilities at the time of application deployment. By installing the customized Kritis component, enterprise security o&M personnel can ensure the security of application deployment images by using the customized visa check policy to prevent tampered malicious images from being deployed in the enterprise production environment.

Figure 4 – Consistency security policy management

  • Application runtime

The stable operation of enterprise applications depends on the means of security protection at running time. The ACK container service cooperates with the cloud Security center team to monitor and alarm common run-time attacks such as container intrusions, container escapes, viruses and malicious programs, and abnormal network connections. The Cloud Security Center also provides alarm event tracing and attack analysis capabilities. ACK container service based on the industry security, meanwhile, the baseline and best practice, for the cluster running application provides a free security inspection of key ability, through the inspection tasks are exposed in the operation of the vessel used in health check on time/resource limitations/network security/safety parameters and other configuration parameters do not meet the requirements of the baseline risk of configuration, and prompt the user to repair the suggestion, Avoid possible attacks.

Higher requirements for security isolation degree of enterprise customers can choose to use the security sandbox container cluster, security sandbox containers based on lightweight virtualization technology, applications run in the kernel of independent, have the ability to better security isolation and suitable for untrusted application isolation, fault isolation and separation performance, load isolation between multiple users and various scenarios.

For financial payment, blockchain and other scenarios with strong security demands for the completeness, integrity and confidentiality of data computation, you can choose to deploy the ACK-TEE confidential computing hosting cluster, where the confidential computing is based on Intel SGX technology. Support for preventing important data and code from being exposed to the rest of the system in a special Trusted Execution Environment (TEE). Other applications, BIOS, OS, Kernel, administrators, o&M personnel, cloud service providers, and even hardware other than CPUS cannot access confidential computing platform data, greatly reducing the risk of sensitive data leakage.

Figure 5 – Inspection for container application security configuration

Figure 6 – Container application runtime security monitoring

Security is the primary concern on the cloud in the enterprise

Security is the primary concern on the cloud in the enterprise. As cloud native redefines computing infrastructure and enterprise application architectures, container, as the new interface of cloud, will also follow the trend of cloud native development to become more secure and reliable direction. In the future, Ali Cloud container service will always take “let enterprises rest assured on the cloud and use the cloud at ease” as the goal, maintain world-class competitiveness in the field of container security, and escort the application security of customers on the basis of continuously consolidating its own infrastructure security.

The resources

  • The RED KANGAROO”

  • The Binary Authorization”