Tell me, doctor, how bad is it?

Report: What does the containers security status look like?

© Shutterstock / Great_Kit  

Containers and container orchestration systems are a very important part of the infrastructure for the organizations that work according to agile ways and deploy continuous integration. But how secure are these systems? The Lacework research team conducted a study to determine the security status of containers and here are the results.

Earlier this month, Lacework released a study on the security status of containers. Needless to say, the findings got me worried. The aim of the study is to highlight the reality of the risks of operating workloads in the cloud.

More precisely, the research team reviewed more than 21,000 cloud environments and the released Lacework report describes the risks and threats that can be faced by deploying workloads in public cloud without the proper security guardrails, security services, as well as the consistent use of security best practices.

Tell me, doctor, how bad is it?

According to the research conducted by Lacework, there are more than 22,000 publicly accessible management nodes connected to the internet. In order to identify these nodes, the Lacework research team used a combination of web crawling, Shodan, SSL data mining, and some internal tools. However, as highlighted in the report:

Lacework will not release any company information or details on specifics around discovered hosts. Additionally, no access was attempted to any of the nodes that were open.

SEE ALSO: “Kubernetes is becoming central to cloud adoption”: More innovation coming

Back to the results, the study revealed an alarming number of open management interfaces and APIs with no authentication whatsoever. Some of the systems found were still in the setup process; however, others were in full production.

The high-level findings reported in the Lacework research were:

  • 22,672 open admin dashboards discovered on the internet
  • 95% hosted inside of Amazon Web Services (AWS)
  • 55% hosted in an AWS region within the US (US-EAST most popular)
  • 300 open admin dashboards open with no credentials

Kubernetes for the win (or loss)

According to the study, Kubernetes is the most commonly used platform, as you can in the figure below:

What is most concerning, however, is the number of issues found according to the study. Namely:

  • Open dashboards that were in the midst of being set up
  • Open dashboards with no authentication
  • Open dashboards that possibly could be brute forced
  • Information disclosure of the organizations that have deployed Kubernetes

Furthermore, the Lacework research team found that Healthz, a container health check service which is part of the Kubernetes branch, appeared to be very popular. More significantly and at the same time worryingly, the study found that 38 servers were running Healthz live on the internet with no authentication. According to the Lacework study:

While it’s unclear whether you can perform full remote code execution (it looks like it could be set up), by default you can monitor workloads and even stop them from running via their UI.

Doctor, what should I do?

The Lacework study not only provides valuable data on the security status of containers, but it provides useful recommendations in dealing with the issue. More precisely, concerning Kubernetes the study recommends:

  • Configure your Kubernetes pods to run read-only file systems
  • Restrict privilege escalation in Kubernetes
  • Build a pod security policy

SEE ALSO: Security vulnerabilities in open source and GDPR implications

Additionally, it recommends:

  • Regardless of network policy, use MFA for all access
  • Apply strict controls to network access, especially for UI and API ports
  • Use SSL for all servers and use valid certificates with proper expiration and enforcement policies
  • Investigate VPN (bastion), reverse proxy or direct connect connections to sensitive servers
  • Look into product and services such as Lacework in order to discover, detect, prevent, and secure your container services

Do you find these recommendations practical? Have you employed your own solutions? Let us know!


Eirini-Eleni Papadopoulou
Eirini-Eleni Papadopoulou was the editor for Coming from an academic background in East Asian Studies, she decided that it was time to go back to her high-school hobby that was computer science and she dived into the development world. Other hobbies include esports and League of Legends, although she never managed to escape elo hell (yet), and she is a guest writer/analyst for competitive LoL at TGH.

Inline Feedbacks
View all comments