Application Containers and Information Centric Security

Please consider the following quote by Grace Hopper, "Some day, on the corporate balance sheet, there will be an entry which reads, 'Information'; for in most cases, the information is more valuable than the hardware which processes it."As an information security manager, it is critical to understand and to be able to help others understand the value of information. In addition to richly valuable information such as intellectual property (patents, trademarks, copyrights, know how, data schema) there is also data, including the increasingly important business record. Is the uniform approach to Defense-in-Depth appropriate when it comes to information?

Information centric, is another way to think of the defense-in-depth concept. Think of concentric rings - at the center of the diagram is your information. However, the center can be anything you value or the answer to the question, "What are you trying to protect?" Around that center you build successive layers of protection. In the diagram, the protection layers are shown as blue rings. In this example, your information is protected by your application. The application is protected by the security of the host it resides on, and so on. In order to successfully get your information, an attacker would have to penetrate through your network, your host, your application, and finally your information protection layers.

Information centric defense starts with an awareness of the value of each section of information within an organization. Identify the most valuable information and implement controls to prevent non-authorized employees from accessing it. A good starting point is to identify your organization's intellectual property, restrict it to a single section of the network, assign a single group of system administrators to it, mark the data, and thoroughly check for this level of data leaving your network.

Containers and Application containers potentially add a new "ring" of protection. According to computerworld, "Application containerization is an OS-level virtualization method for deploying and running distributed applications without launching an entire virtual machine (VM) for each app. Instead, multiple isolated systems are run on a single control host and access a single kernel.

Application containers hold components such as files, environment variables and libraries necessary to run the desired software. Because resources are shared in this way, application containers can be created that place less strain on the overall resources available.

Containers are an attractive option for developers craving for a seamless transition when they move software from one computing environment into another – from staging, testing to production."

But for all their advantages they also present new risks, according to Alderman from Tenable to mitigate, we must:

As new tools and techniques are being developed, Alderman gave some traditional approaches that companies can implement as initial steps to safeguarding their application containers:

1.         Enumerate all container images - Inventory all of your container images to understand what’s running in the environment. If a security flaw is detected in one container image, you’ll understand where these images are running for remediation activities.

2.         Secure the container host - Host vulnerabilities, exploits, and misconfigurations are now accessible across all containers. A single container exploiting the host will take down the whole host.

3.         Verify security of embedded libraries - This will prevent known vulnerabilities in embedded libraries from being deployed in container images.

4.         Limit user privileges in container images - If you’re root in the container, you’ll be root on the host. An attacker who hijacks a container will have access to the privileges of the container. Minimize root and root escalation privileges.