More than 22,000 container orchestration and API management systems are unprotected or publicly available on the internet, according to research from Lacework.
According to reports, the containers suffer from poorly configured resources, lack of credentials and the use of non-secure protocols. As a result, hackers can remotely access the infrastructure to install, remove or encrypt any application that the company is running in the cloud. In total, Lacework found 22,672 open admin dashboards on the web; and more than 300 of them were unprotected by any credentials whatsoever. Tim Mackey, Senior Technical Evangelist at Black Duck by Synopsys commented below.
Tim Mackey, Senior Technical Evangelist at Black Duck by Synopsys:
“The single most important item any administrator should have for their applications, be they containerised or container orchestration systems, is a sound authentication and authorisation model. While Lacework identified over 21,000 public cloud interface portals, other than identifying 305 sites with no authentication, no indication was provided as to the overall health of the authentication models used by the identified sites. While Lacework indicates in their research a preference for administrative consoles to not be public facing, having poor authentication strategies within clusters accessed via bastion host or VPN is equally problematic as lateral movement within an organisation by definition occurs within an organisation.
“Properly securing container orchestration solutions requires a comprehensive review of the role the orchestration solution plays in an organisations service delivery plans. This includes authentication, but also role and user authorisation, quota management, activity logs and proper segmentation of resources to minimise the potential for lateral movement or container breakouts in any attack. Any container security strategy must include an understanding of how trust is created within the system and how the transfer of risk throughout the applications’ lifecycle occurs. This includes an understanding of the origin of the container images, their patch state and under what conditions those images can launch to create a running application. Importantly, container orchestration systems have roles based access models which can limit the ability of any given user to launch, modify a running application or otherwise act on data within an application. This then means that an attackers’ ability to compromise a system is a function of the account they’ve compromised. With the level of scale container orchestration provides, and with containers having potentially transient lifespans, a thorough understanding of what is running in a cluster at any point in time becomes paramount. It is only at that point where detection of compromise becomes possible.”
