In the cloud-native era, the "four challenges" and "two keys" of container security

Enterprise 2021-03-18 19:04:02 views: null

Head picture.png

Author | Kuang Dahu
Source | Alibaba Cloud Native Official Account

Container security challenges in cloud-native processes

The enthusiasm of cloud native has brought about technological innovations such as enterprise infrastructure and application architecture. Under the general trend of cloud native, more and more enterprises choose to embrace cloud native. In the CNCF 2020 annual survey report, 83% have been Of organizations choose Kubernetes in the production environment. Containers have become the standard for application delivery and the delivery unit of computing resources and supporting facilities in the cloud-native era. Obviously, containers have become the standard for application delivery and the delivery unit of computing resources and supporting facilities in the cloud-native era.

However, due to natural deficiencies in isolation and security, security has always been one of the core issues that enterprises pay attention to in the process of container transformation. In the cloud-native era, what new container security challenges will enterprises face?

  • Lack of systematic container security capability building: Traditional enterprise application security models usually divide the corresponding security boundaries based on different trust domains in the internal architecture. The east-west service interaction in the trust domain is considered safe. After going to the cloud, enterprise applications need to be deployed and interacted on IDC and the cloud. After the physical security boundary disappears, how to build an enterprise-level container security system under the zero-trust network security model is an important issue that cloud service providers need to solve.

  • More detailed aspects: application deployment based on container technology relies on features such as Linux kernel namespaces and cgroups. From the perspective of the hacker, you can take advantage of kernel system vulnerabilities, container runtime components, and container application deployment configurations, etc. Dimension initiated targeted escape and ultra vires. Open source communities such as K8s, Docker, Istio, etc. have also exploded a lot of high-risk vulnerabilities in recent years, all of which provide opportunities for *** makers.

  • Lack of security protection methods for the entire life cycle of the application side: While container technology provides the characteristics of flexibility, agility, and dynamic scalability for enterprise application architecture, it also changes the deployment mode of applications. First of all, the life cycle of the application itself has been greatly shortened. The life cycle of a container application is usually on the order of minutes. At the same time, with the improvement of infrastructure capabilities such as storage networks and heterogeneous resource utilization, the deployment density of container applications has also increased. The higher the coming, the traditional security protection strategies and monitoring and warning methods oriented to the virtual machine dimension can no longer meet the needs of container technology.

  • Lack of understanding of the security responsibility sharing model on the cloud: The security of enterprise applications after the cloud needs to follow the responsibility sharing model. During the transformation of the cloud native language of the enterprise application architecture, enterprise application managers and security operation and maintenance personnel need to understand the enterprise The boundary of responsibility between itself and the cloud service provider. In this process, cloud service providers are also required to export more comprehensive container security best practices to the enterprise application side, improve the ease of use of security capabilities, and lower the threshold for use.

The basic principles of building a container security system

In order to meet the security challenges of the aforementioned enterprise applications in the process of containerization, cloud service providers and enterprise application security management operation and maintenance personnel need to work together to build a container application security system:

1.jpg

Figure 1-ACK container service security responsibility sharing model

1. Cloud service supply side

For cloud service providers , first rely on the cloud platform's own security capabilities to build a safe and stable container infrastructure platform, and build corresponding security protection methods for the entire life cycle of container applications from construction, deployment to runtime. The construction of the entire security system needs to follow the following basic principles:

1) Ensure the default security of the infrastructure layer of the container management and control platform

The container platform infrastructure layer carries the management and control services of enterprise applications, which is the key to ensuring the normal operation of business applications. The security of the container platform should be paid special attention to by cloud service providers.

  • Complete platform security capabilities: First, the security of the cloud service provider’s own infrastructure is the basis for the security of the container platform, such as the security configuration capabilities of VPC, SLB access control, DDoS capabilities, and account system access control capabilities to cloud resources. It is the basic security capability that the platform side provides to enterprise applications.

  • Version update and vulnerability emergency response mechanism: The version update of the virtual machine OS and the ability to install vulnerability patches are also basic protection measures to ensure infrastructure security. In addition, risk vulnerabilities in container-related open source communities such as K8s may become malicious* The ** path preferred by the ** requires the vendor to provide a grading response mechanism for vulnerabilities and provide the necessary version upgrade capabilities.

  • Platform security compliance: This is also a hard prerequisite for many financial companies and government departments to apply to the cloud. Cloud service providers need to ensure the default security of service component configuration based on the industry's common security compliance standards, and provide a complete audit mechanism for platform users and security auditors.

2) Provide defense-in-depth capabilities to the container application side

Cloud service providers not only need to establish complete security arms on their own management and control side, but also need to face business application loads, provide security protection methods suitable for container applications in cloud-native scenarios, and help end users to have corresponding at all stages of the application life cycle Security governance program. Because cloud native has the characteristics of dynamic and flexible infrastructure, distributed application architecture, and innovative application delivery operation and maintenance methods, this requires cloud service providers to combine the basic security capabilities of their own platforms to empower traditional cloud native capabilities. In the security model of, build a new cloud-native security architecture.

2. Enterprise security side

For enterprise security management and operation and maintenance personnel, it is first necessary to understand the boundaries of the cloud security responsibility sharing model, and what security responsibilities the enterprise needs to bear. Under the cloud-native microservice architecture, enterprise applications are deployed and interacted on IDC and the cloud. The traditional network security boundary no longer exists. The network security architecture on the enterprise application side needs to follow the zero-trust security model and reconstruct access control based on authentication and authorization. Foundation of trust. For enterprise security managers, you can refer to the following directions to strengthen production safety in the life cycle of enterprise applications:

  • Ensure the supply chain security of application products

The development of cloud native has enabled more and more large-scale container applications to be deployed in enterprise production environments, and has greatly enriched the diversity of cloud native application products. Container images and helm charts are common product formats. For enterprises, the security of the product supply chain is the source of the security of enterprise application production. On the one hand, the security of the product needs to be ensured during the application construction phase; on the other hand, the corresponding access control needs to be established at the time of product storage, distribution and deployment. , Security scanning, auditing and access verification mechanisms to ensure the security of the source of the product.

  • Permission configuration and credential issuance follow the principle of minimum permissions

Authentication and authorization based on a unified identity system is the basis for building access control capabilities under the zero-trust security model. For enterprise security managers, it is necessary to use the access control capabilities provided by cloud service providers, combine with the enterprise's internal authority account system, and strictly follow the principle of minimum authority to configure access control policies for cloud resources and container-side application resources; in addition, strict Control the issuance of resource access vouchers, and revoke the issued vouchers that may cause unauthorized behavior. In addition, it is necessary to avoid container application template configuration such as privileged container with excessive permissions, and ensure that the security aspect is minimized.

  • Pay attention to application data and application security at all times

The successful deployment of the application does not mean the end of the security work. In addition to fully configured resource request auditing, security management operation and maintenance personnel also need to use the runtime monitoring alarms and event notification mechanisms provided by the manufacturer to maintain attention to the security of the container application runtime, and discover security incidents and possible events in time Security risks. For sensitive data that enterprise applications rely on (such as database passwords, application certificate private keys, etc.), the corresponding key encryption mechanism needs to be adopted according to the security level of the application data, using cloud key management schemes and disk encryption, confidential computing, etc. Ability to ensure data security on the link of data transmission and storage.

  • Fix security vulnerabilities and update version in time

Whether it is a virtual machine system, container image, or the security vulnerabilities of the container platform itself, it may be used by malicious actors to become a springboard inside the application. Enterprise security management operation and maintenance personnel need to follow the guidance recommended by the cloud service provider The program carries out security vulnerabilities repairs and version updates (such as K8s cluster version, application mirror version, etc.). In addition, the company should be responsible for the safety training of internal employees, be prepared for danger in times of peace, and enhance the awareness of safety protection is also the basic priority of the company's safe production.

End-to-end cloud-native container security architecture

Alibaba Cloud ACK Container Service has built a complete container security system for a broad range of enterprise-level customers, providing end-to-end application security capabilities. In this year's Forrester IaaS security evaluation, Alibaba Cloud's container security capabilities tied with Google for full marks, leading other vendors . The following figure shows the security architecture of Alibaba Cloud Container Service:

2.jpg
Figure 2-ACK container service security architecture diagram

First of all, the entire container security system relies on Alibaba Cloud's strong platform security capabilities, including physical/hardware/virtualization and cloud product security capabilities, to build a solid platform security base.

Above the cloud platform security layer is the container infrastructure security layer. The container infrastructure carries the management and control capabilities of enterprise container applications, and its default security is an important foundation for the stable operation of applications. First of all, the Alibaba Cloud operating system team has done a lot of security hardening related work for the cluster host node OS image itself. Alibaba Cloud Linux 2 (formerly Aliyun Linux 2) is not only the official operating system image of Alibaba Cloud , but also the preferred default system image for ACK. Alibaba Cloud Linux 2 officially passed all certification procedures of the CIS organization on August 16, 2019 and released the corresponding CIS Aliyun Linux 2 Benchmark version 1.0.0 . ACK is supporting the CIS security hardening of clusters based on the Alibaba Cloud Linux operating system to meet the needs of simple, fast, stable and safe use. In addition to CIS compliance, in January 2021, ACK has officially supported iso- guarantee reinforcement for clusters based on the Alibaba Cloud Linux operating system .

On the container management and control side, Alibaba Cloud Container Service implements default security hardening for the configuration of container management and control plane components based on industry security standard baselines such as CIS and Kubernetes. At the same time, it follows the principle of minimizing permissions to converge and minimize the default permissions of management and control plane system components and cluster nodes* **surface. In March, the CIS Kubernetes benchmark for ACK submitted by Alibaba Cloud Container Service officially passed the certification audit of the CIS community organization, becoming the first cloud service provider in China to publish the CIS Kubernetes international security standard baseline .

A unified identity system and access control policy model are the core of building a security architecture under the zero-trust security model. The ACK control side is connected to the Alibaba Cloud RAM account system, providing an automated operation and maintenance system based on a unified identity model and cluster certificate access credentials At the same time, in the face of the risk of user credential leakage, an innovative solution for user credential revocation is proposed to help enterprise security managers revoke the cluster access credential that may be leaked in a timely manner to avoid unauthorized access incidents.

For key security elements on the interactive access links of enterprise applications such as key management, access control, and log auditing, ACK Container Service also provides corresponding platform-side security capabilities:

  • Access control: ACK provides access control capabilities for application resources in the cluster based on the K8s RBAC policy model . On the premise of ensuring the security of non-primary accounts or cluster creators without permissions by default, cluster administrators can use the console or OpenAPI to control the specified Sub-accounts or RAM roles perform batch RBAC authorization in the cluster and account dimensions. ACK provides four preset permission templates for common enterprise authorization scenarios, which further reduces the user's learning cost of RBAC and K8s resource models. For the cluster access credential serviceaccount that is usually relied on in application containers, the ACK cluster supports enabling the token volume projection feature for serviceaccount , supports binding the audience identity to the sa token configuration, and supports the expiration time setting, which further improves the application's control surface apiserver Access control capabilities.

  • Key management: In response to the requirements of enterprise customers for data security, autonomy and compliance, the ACK Pro cluster supports the encryption capability of K8s Secret , and also supports the use of BYOK's cloud disk encryption capability to ensure that the core data of the enterprise is safe to go to the cloud; At the same time, the ACK cluster supports real-time synchronization of the user 's sensitive information hosted in the Alibaba Cloud KMS credential manager to the application cluster. The user can directly mount the designated secret instance for credential synchronization in the K8s application, which further avoids the hard-working of application sensitive information. Encoding problem.

  • Log audit: In addition to supporting K8s cluster audit audit , controlplane  control plane component log and other basic management control plane log collection, ACK also supports log audit of Ingress traffic and abnormal event alarm based on NPD plugin . The above log auditing capabilities are all connected to the Alibaba Cloud SLS log service. The fast retrieval, log analysis, and rich dashboard display capabilities provided by the SLS service greatly reduce the difficulty of container application development, operation and maintenance and security audits.

 Facing the security challenges of the container application layer in the supply chain and runtime, Alibaba Cloud provides a full range of security capabilities covering the entire life cycle from container application construction, deployment to operation:

3.jpg
Figure 3-ACK container service application life cycle security capabilities

  • Application construction phase

According to Prevasio's survey of 4 million container images hosted on Docker Hub , 51% of the images have high-risk vulnerabilities; in addition, 6432 images were detected to contain malicious *** or mining programs, and only these 6432 malicious The mirror has been downloaded 300 million times.

How to deal with these security challenges lurking in image products? On the one hand, enterprise application developers are required to use trusted basic images when building application images, standardize the image construction process, and ensure that the image is minimized; on the other hand, Ali Cloud ACR container image service In view of the security risks in the image construction process, it provides basic capabilities such as warehouse access control, operation auditing, and image security scanning. Mirror security scanning is the basic means for users to actively discover security vulnerabilities. ACR Container Mirroring Service and Alibaba Cloud Security Center provide different versions of the mirror vulnerability database. While supporting mirror deep scanning, it also has the ability to update the vulnerability database in real time, satisfying enterprises Security compliance requirements. In Alibaba Cloud Container Image Service Enterprise Edition, you can also create and manage delivery chain instances, freely combine security scanning and distribution processes and build them into automated tasks, and automatically intercept images containing vulnerabilities to ensure the security of images distributed to the warehouse. .

In the image building process, in addition to timely discovery of image vulnerabilities, how to ensure that the image is not maliciously tampered at the time of distribution and deployment is also an important security protection method, which requires the integrity of the image to be verified. In the instance of Alibaba Cloud Container Service Enterprise Edition, corporate security managers can configure signature rules to automatically signature and push to the image in the warehouse with the specified KMS key.

  • Application deployment moment

The native admission mechanism of K8s provides a natural verification mechanism at the moment of application deployment.

Abusing privileged containers, mounting sensitive directories, and starting the container as the root user, these common application template configurations are likely to become a springboard for the escape of the container. The native PSP model of K8s restricts the security behavior of the application container at runtime by means of policy definitions. The ACK container service provides cluster-oriented policy management functions to help corporate security operations personnel customize PSP policy instances according to different security requirements, and bind them to the specified ServiceAccount at the same time. The one-click switch of PSP features is also blocked for users Its complicated configuration threshold. In addition, ACK container service also supports the installation and management of gatekeeper components, and users can customize security policies based on the richer scenarios of the OPA policy engine.

In response to the security verification requirements of application mirroring at the time of deployment, Google took the lead in proposing a  productized solution for Binary Authorization in 18 years . The ACK container service also officially launched the image signature and verification capabilities at the time of application deployment at the beginning of last year. By installing customized kritis components, enterprise security operation and maintenance personnel can ensure the security of application deployment images through customized signature verification strategies and prevent malicious images that have been tampered with from being deployed to the enterprise production environment.

4.jpg
Figure 4-Consistent security policy management

  • Application runtime

The stable operation of enterprise applications is inseparable from security protection measures at runtime. ACK Container Service cooperates with the Cloud Security Center team to conduct real-time monitoring and alerting of common runtime behaviors such as container internal security, container escape, viruses and malicious programs, and abnormal network connections . At the same time, the cloud security center also provides Traceability and *** analysis capabilities for alarm events. At the same time, ACK Container Service provides one-click free security inspection capabilities for applications running in the cluster based on industry security baselines and best practices . Through inspection tasks, it promptly exposes the health checks/resource restrictions/restrictions of running container applications. Network security parameters/security parameters and other dangerous configurations that do not meet the baseline requirements, and prompt the user to repair suggestions to avoid possible accidents.

For enterprise customers with higher requirements for security isolation, you can choose to use a secure sandbox container cluster . The secure sandbox container is implemented based on lightweight virtualization technology. The application runs in an independent kernel and has better security isolation capabilities. Information application isolation, fault isolation, performance isolation, load isolation between multiple users and other scenarios.

For financial payment, blockchain and other scenarios that have strong security requirements for the completeness, integrity and confidentiality of the data calculation process, you can choose to deploy and use the ACK-TEE confidential computing hosting cluster , where the confidential computing is based on Intel SGX technology and supports Prevent important data and code from being exposed to other parts of the system in a special Trusted Execution Environment (TEE). Other applications, BIOS, OS, Kernel, administrators, operation and maintenance personnel, cloud service providers, and even hardware other than the CPU cannot access confidential computing platform data, greatly reducing the risk of sensitive data leakage.

5.jpg
Figure 5-Container application security configuration inspection

6.jpg
Figure 6-Security monitoring of container applications at runtime

Security is the primary concern for enterprises to go to the cloud

Security is the primary concern of enterprises going to the cloud. With the redefinition of cloud-native computing infrastructure and enterprise application architecture, containers, as the new interface of the cloud, will also follow the trend of cloud-native development and develop in a more secure and reliable direction. In the future, Alibaba Cloud Container Service will always aim to "make enterprises go to the cloud with peace of mind, and use the cloud with peace of mind", maintain world-class competitiveness in the field of container security, and continue to consolidate its own infrastructure security to provide customers with application security. Escort.

Reference

Guess you like

Origin blog.51cto.com/13778063/2663050
Recommended
The United States plans to restrict the export of large AI models to China and Russia
Apple to reach agreement with OpenAI to bring ChatGPT to iPhone
Ranking
whisper-webui installation tutorial is silky and easy to use
[Base] Laravel concepts laravel basis, the custom service provider: Contracts, ServiceContainer, ServiceProvider, Facades relations
Import torchvision error problem solving DLL: module not found
observer & watch & notify = pub & sub
A small turntable program [HTML + CSS + JS]
CorelDRAW 2018 shortcuts Daquan
Supervise el botón de menú para lograr un gatillo de presión prolongada
JS将时间秒转换成天小时分钟秒的字符串
RIP basic configuration
[Deleted] solution to a problem a few questions (Noip1994)
Daily
More
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)

Code World

© 2018 codetd.com