From a security perspective, containers are the Wild West – full of exciting possibilities, but also unfamiliar dangers. A study out of Forrester points to this mix of hopes and fears. In the report, 75 percent of enterprises that deploy containers cite security as the main advantage of container adoption, while over half of those same enterprises acknowledge container security as their greatest area of concern.
While containers are a newer technology – where new threats and points of attack are always possible – virtual machines (VMs) have reached a level of maturity where their attack surfaces are rather well known. Because VMs offer strong isolation at the host level and don’t share the OS running on the physical machine, malware encountered during a virtual machine’s lifespan can only effect that virtual environment and no longer exists after the machine is spun down.
In contrast, the great strength of containers is also its vulnerability. Containers enable developers to implement a microservices-based architecture, breaking up monolithic app stacks to achieve an environment that’s more agile. However, this means that application services are connected through the network, opening up an avenue for all kinds of security threats.
There is a line of thought that says containers are actually more secure than virtual machines. The reasoning is that breaking up applications into microservices – as long as they have well-defined interfaces and limited packaged services – reduces the overall attack surface. While this depends entirely on the care with which they are put in place, it’s a valid point that a security-conscious container deployment can indeed be as secure as a virtual machine (or even more so).
Containers certainly face security threats that virtual machines do not. These include the basic risks of open network traffic across services and sharing the OS kernel, which must be considered before production to reduce risks. The best steps to take in securing a container are largely the same for nearly any system, platform, or service being used.
To implement container security that’s the same, or better than that of virtual machines, do the following:
1. Perform scans of your container both before and during run-time. Be careful to keep available attack surfaces to a minimum, and harden all surfaces that are necessary.
2. Isolate application clusters on the basis of trust, risk, and exposure through the use of network micro segmentation.
3. Make use of every security tool and configuration option that the platform offers, such as registry scans and control over container access/privileges.
4. Update often to use the latest and most secure host and container versions.
5. In addition to North-South monitoring, have visibility into East-West network traffic within the container and the host. Build an understanding of your app’s normal behavior, and be able to recognize when the app isn’t doing what it should.
6. Test, review, and improve security practices as part of your continuous integration and deployment (CI-CD) process.
7. Log any threats or risk areas from your Docker host into your security information and event management (SIEM) tool.
8. Further security support with third-party platforms specifically designed to address the quick and changing nature of container deployments.
Another way forward for enterprises thinking about the use of virtual machines and containers is to try and have the best of both worlds, and deploy containers on virtual machines. This makes the most sense for enterprises that already have existing applications and a stable virtual machine infrastructure in place. This method offers the benefits of mature monitoring and isolation capabilities along with faster DevOps processes. However, this setup means lower performance and scalability and higher costs when compared to containers running on bare metal.
Containers and microservices are certainly exciting new technologies, which unfortunately include new security threats to deal with. By carefully considering these threats and putting in place the best protections available, containers can realize their potential to be both a highly advantageous, and a highly secure, solution.