Frost & Sullivan (Frost & Sullivan, abbreviated as "Frost & Sullivan") in conjunction with LeadLeo Research Institute released the "2022 China Container Security Market Report". The research topic of this market report is the 2022 China container security market, focusing on product capabilities such as image security, container isolation, and container cluster security. The research period is for the first half of 2022.
This research project will focus on sorting out information such as the application characteristics, market features, development history, and competitive situation of container security platforms in fields like finance, internet, retail, culture and entertainment, telecommunications, energy, logistics, transportation, manufacturing, energy, healthcare, and government affairs. It will also make speculations or predictions about the market development prospects from the dimensions of value creation and technological development.
How to help enterprises obtain the value brought by technologies such as containers as much as possible and reduce the security costs associated with container use is a goal that vendors in the container security field are competing to achieve.
The virtual machine architecture starts from the operating system layer to establish a sandbox-independent execution environment that can be used to execute the entire operating system.
Container architecture directly packages the relevant program code, libraries, and environment configuration files required by an application into a sandbox execution environment. The concepts of 'packaging' and 'standardization' highlight the demand for 'portability', 'agility', and 'resilience'.
Each application in a virtual machine has its own independent kernel, enjoying the advantage of complete isolation at the software level. Each application in a container shares the host's kernel and only has process-level isolation. If the configuration environment is not carefully managed, containers can directly interact with each other.
Virtual machines and containers represent two different needs, and every advantage comes with a disadvantage: although containers have significant advantages in terms of lightweighting, the cost is the native security risks brought about by incomplete resource isolation and data visibility limitations due to 'packaging' services.
In the current trend of cloud-native systems continuously penetrating into industries, how to help enterprises obtain the value brought by technologies such as containers as much as possible and reduce the security costs associated with container use is a goal that vendors in the container security market are competing to achieve.
The security of containers requires addressing attack surfaces from the host layer, Docker layer, container layer, and application layer simultaneously. For enterprises and security vendors, a thorough understanding of the container environment and attack conditions is the first step in establishing a defense system.
This document analyzes the container's operating mechanism and the components of its architecture. Compared to traditional platforms, the container ecosystem involves more components, tools, and code channels. Container users need to ensure that they have a dedicated full-stack security approach to address the security requirements of containerized applications during construction, deployment, and operation. At the same time, the rapid and widespread adoption of containers also creates an opportunity for 'security left shift', protecting containers from development through CI/CD pipelines to runtime, and building a bridge between development and security teams.
ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is an attack behavior knowledge base and threat modeling model. The container and image ATT&CK covers attacks at the Kubernetes orchestration layer, Docker container layer, and application layer, as well as container-related malware threats.
For enterprises and security vendors, fully understanding the container environment and attack status is the first step in establishing a defense system. Enterprise users can use container ATT&CK simulations for red-blue confrontation to understand security risks and key attack vectors in Kubernetes, and based on this, they can develop correct detection and mitigation strategies to address these risks and provide comprehensive protection.
The construction of container security is still in its infancy, requiring overcoming the dual threats of old and new technologies. There are unknown risks, widespread image vulnerabilities, and low observability of data, among other challenges. Traditional security protection measures are no longer suitable for cloud-native environments.
The attack path against containers can be seen as having a wide range of selectable attack vectors and methods. At the same time, lateral movement can easily expand the value of an intrusion. Compared to the 'low threshold, high reward' characteristic of attack perspectives, containers are 'thorny and difficult to traverse' from the perspective of security defense. The construction of container security is still in its infancy and requires overcoming several major challenges:
-
Dual threats, old and new, unknown risks
Traditional attack methods, including vulnerability exploitation, brute force cracking, and privilege escalation, also work against containers. At the same time, a series of cloud-native technologies also mean that containers carry a large number of unknown risks. Hackers are constantly developing new attack methods such as poisoning images, container escape, and cluster API calls. Container protection requires customizing specialized defense strategies for container environments.
-
Image vulnerabilities are widespread
Since the essence of an image is a static archive file, containers must be updated and redeployed from upstream images. A common risk in container environments is that the used image version contains vulnerabilities, which can lead to deployed containers being compromised. Images on Docker Hub generally contain varying degrees of vulnerabilities, and these security risks may be exploited maliciously.
-
Low data observability and difficulty in attack tracing
Containers have a short lifecycle and rapid dynamic changes. More than 50% of containers do not exceed one day from launch to decommissioning. Additionally, the lightweight deployment principle of containers allows hundreds of containers to run on a host simultaneously, significantly increasing the total network traffic and communication ports within a cluster. The container application deployment density and container change frequency in a containerized environment are much higher than in traditional environments, making the detection, tracking, and tracing of attack threats more difficult.
Affected by the shared kernel feature, containers face many security risks in multi-tenant scenarios. In the future, service providers need to ensure user asset security through refining isolation levels and expanding isolation dimensions, among other methods.
The shared kernel feature exposes container technology to security vulnerabilities, limiting its use cases. Cloud-native products are more commonly used in single-tenant scenarios, where container features cannot ensure runtime isolation, network isolation, image isolation, and other security measures under multi-tenant environments.
Container application security involves runtime isolation, image isolation, network isolation, disk storage isolation, etc. To refine and deepen the degree of isolation, service providers can ensure the security of container user assets by providing modes such as network policy isolation, storage isolation, and image reference isolation.
In addition, the integrated application of container technology stacks and open-source security tools will effectively enhance the penetration and collaboration of isolation policies at the network, image, storage, and other levels.
The container security protection system needs to cover the entire lifecycle of container technology, and corresponding dynamic application policies should be set for different stages such as container planning, installation, configuration, deployment, operation and maintenance, and disposal.
In a survey on user experience with container usage, over 90% of users expressed concerns about inherent vulnerabilities in container security, which limit the use cases for container applications. Containers share the same kernel as their host machines, and container technology itself is built on two key technologies: Linux Namespace and Linux Cgroups. Vulnerabilities in the Linux kernel can lead to container escape. During container runtime, attackers can infiltrate containers through malicious images and modifications to container configurations. At different stages of container configuration, deployment, and operations, actual business lines have specific needs, and security planning must penetrate the entire lifecycle of container operations.
Frost & Sullivan, in collaboration with LeadLeo, conducted a multi-factor hierarchical assessment of the competitiveness of China's container security market based on two major evaluation dimensions: growth index and innovation index. The assessment covered seven key indicators including container host security, container cluster security, container software security, container image security, container runtime security posture, cloud-native capabilities, and market performance.Based on the comprehensive score of the 'Innovation Index' and 'Growth Index', Qingteng Cloud Security, Tencent Security, LittleYoo Technology, and Boyun rank among the leaders in China's container security market.
Qingteng Cloud Security:Qingteng Hive is a cloud-native security platform independently developed by Qingteng, supporting smooth integration of security capabilities with the complex and ever-changing cloud-native environment, such as integration into Kubernetes, PaaS cloud platforms, OpenShift, Jenkins, Harbor, JFrog, and other environments. By providing a one-stop container security solution covering the entire lifecycle, Qingteng Hive constructs a secure closed-loop of prediction, defense, detection, and response to container security. Qingteng's "124" cloud-native security framework is innovated under practical thinking, following one system (DevOps), focusing on two directions (DEV-Build time, OPS-Run time), and based on four links (security development, security testing, security management, security operation), covering the entire lifecycle of container security.
Tencent Security:The Tencent Security Collaborative Container PaaS team and operating system team provide unified security-optimized basic system images, standardize the process of building business images, integrate DevOps concepts and methods, formulate container security baseline policies, and guide users to implement container runtime access control, intrusion prevention, etc., based on user business images and cluster characteristics. In addition, Tencent Security integrates micro-segregation technology, customizes network access policies based on clusters, supports custom access control for access protocols and ports based on pods, namespaces, IPs, etc., and explores the application of differentiated security strategies in image signature verification, cluster isolation, and other aspects.
Xiaoyou Technology:XiaoYou Technology focuses on the construction of China's cloud-native security industry, integrating cloud-native technology with security technology. XiaoYou Technology has launched its self-built security basic image library, the 'Golden Image Library', to create a systematic product matrix, providing cloud-native security solutions ranging from image deep scanning, container runtime security, cluster security, to microservice security, and building a unified cloud-native security operation management center for users.
Boyun:BKS, based on six dimensions: runtime security, operating environment security, operational ecosystem security, image security, adaptive security, and full lifecycle security, comprehensively addresses hybrid cloud-native security issues such as physical machines, virtual machines, containers, etc.
