Why container orchestration platforms risk data exposure

The risks of container orchestration platforms

Most container orchestration platforms have a number of exposed interfaces, some of which are designed for programmatic access via APIs, and others that are more traditional, web-based administrative or deployment consoles. There are significant risks to any of these falling into the wrong hands.

First, there's always the risk of data exposure. Container orchestration APIs may accept or transmit infrastructure details, source code repository information, container build configurations and much more. By exposing these APIs directly to the internet, organizations could be permitting unauthorized access.

Second, administrative and deployment consoles could enable an attacker to perform a wide range of malicious actions. These might include harvesting credentials and keys that are stored or are accessible through these systems, modifying deployment configurations or planting backdoor access into containers, revoking legitimate access from users and admins, or simply deploying containers for illicit gains, such as cryptocurrency mining, password cracking or spamming.

Why expose these systems to the internet?

At the heart of the issue is that there is no good reason for any of these systems to be directly exposed to the internet at all. The only reason this happens is laziness, or when developers and admins don't want to follow some additional steps to securely deploy a production architecture in the cloud -- or on premises, for that matter.

Critical systems that provide privileged access and control over the deployment of computing assets should never be directly accessible on the internet with no additional access controls. For most security professionals, a bare minimum level of access control would include a separate reverse proxy or jump host -- often called a bastion host -- that must be accessed first. This server would be incredibly locked down, allowing only SSH access with key-based authentication or something similar. From this system, admins could then authenticate to their container orchestration platforms.

In addition to having a jump host, strong authentication controls should be implemented, including key-based remote access for SSH, if applicable, and multifactor authentication using certificates or changing token codes and complex passwords. All the major orchestration platforms also support some degree of role-based access, so applying a least privilege approach is also prudent.

If there is some compelling business reason to place one of these systems on the internet without an intermediary jump host in front of it, then security teams need to implement the most secure access control model possible, which should include strong passwords and multifactor authentication at a minimum. Another strong access control is implementing source IP address restrictions -- with or without a bastion host -- that limit where any access can come from.

As the use of container-based automation and orchestration systems becomes more common, it's critically important to lock them down and restrict access to them. In addition to a secure configuration and limited access model, all of these systems should have remote logging enabled, and security operations teams should be carefully monitoring activity on these systems.