Report: What does the containers security status look like?
Containers and container orchestration systems are a very important part of the infrastructure for the organizations that work according to agile ways and deploy continuous integration. But how secure are these systems? The Lacework research team conducted a study to determine the security status of containers and here are the results.
Earlier this month, Lacework released a study on the security status of containers. Needless to say, the findings got me worried. The aim of the study is to highlight the reality of the risks of operating workloads in the cloud.
More precisely, the research team reviewed more than 21,000 cloud environments and the released Lacework report describes the risks and threats that can be faced by deploying workloads in public cloud without the proper security guardrails, security services, as well as the consistent use of security best practices.
Tell me, doctor, how bad is it?
According to the research conducted by Lacework, there are more than 22,000 publicly accessible management nodes connected to the internet. In order to identify these nodes, the Lacework research team used a combination of web crawling, Shodan, SSL data mining, and some internal tools. However, as highlighted in the report:
Lacework will not release any company information or details on specifics around discovered hosts. Additionally, no access was attempted to any of the nodes that were open.
Back to the results, the study revealed an alarming number of open management interfaces and APIs with no authentication whatsoever. Some of the systems found were still in the setup process; however, others were in full production.
The high-level findings reported in the Lacework research were:
- 22,672 open admin dashboards discovered on the internet
- 95% hosted inside of Amazon Web Services (AWS)
- 55% hosted in an AWS region within the US (US-EAST most popular)
- 300 open admin dashboards open with no credentials
Kubernetes for the win (or loss)
According to the study, Kubernetes is the most commonly used platform, as you can in the figure below:
What is most concerning, however, is the number of issues found according to the study. Namely:
- Open dashboards that were in the midst of being set up
- Open dashboards with no authentication
- Open dashboards that possibly could be brute forced
- Information disclosure of the organizations that have deployed Kubernetes
Furthermore, the Lacework research team found that Healthz, a container health check service which is part of the Kubernetes branch, appeared to be very popular. More significantly and at the same time worryingly, the study found that 38 servers were running Healthz live on the internet with no authentication. According to the Lacework study:
While it’s unclear whether you can perform full remote code execution (it looks like it could be set up), by default you can monitor workloads and even stop them from running via their UI.
Doctor, what should I do?
The Lacework study not only provides valuable data on the security status of containers, but it provides useful recommendations in dealing with the issue. More precisely, concerning Kubernetes the study recommends:
- Configure your Kubernetes pods to run read-only file systems
- Restrict privilege escalation in Kubernetes
- Build a pod security policy
Additionally, it recommends:
- Regardless of network policy, use MFA for all access
- Apply strict controls to network access, especially for UI and API ports
- Use SSL for all servers and use valid certificates with proper expiration and enforcement policies
- Investigate VPN (bastion), reverse proxy or direct connect connections to sensitive servers
- Look into product and services such as Lacework in order to discover, detect, prevent, and secure your container services
Do you find these recommendations practical? Have you employed your own solutions? Let us know!