Containers are changing how enterprises interact with their cloud platforms, though security could prove to be a hurdle toward broader adoption.
By their nature, containers are seen as secure due to their basic construct of a small size and that they often exist for only a brief period of time. On top of that, specific measures and platforms can be deployed to further bolster container security throughout their existence. These include security services from vendors designed to protect container deployments.
“Container security solutions protect the entire lifecycle of containers from creation into production, and most of the container security solutions provide preproduction scanning combined with runtime monitoring and protection,” Gartner explained in a recent report.
For the most part, the combination of container architecture and additional security resources have bolstered confidence in the use of containers. Forrester Research found that as of last year, 31 percent of enterprise IT organizations had deployed containers as part of their cloud operations.
An SDxCentral report and survey on Container and Cloud Orchestration, found container usage surged from just eight percent last year to 45 percent this year.
“That will set the stage toward the future, where containers become the new dominant application platform to be managed, instead of virtual machines,” the report noted.
However, attention on broader cloud security and potential vulnerabilities in some open source platforms has increased container security concerns. This concern is increased as container-specific operating systems allow multiple containers to share the same OS without the need for a hypervisor to oversee each container.
A Linux kernel vulnerability, dubbed “dirty cow,” was discovered last year. The vulnerability was reportedly in place for nine years, and allowed access to Linux-based operating systems, which are used in container deployments.
While there have not been any significant attacks yet reported on container deployments, concern remains over the ability for someone to hijack integral container components.
“The ability of containers to properly isolate processes has been widely debated,” Cowen and Company noted in a recent report. “On one hand, the fact that the container exists at all does provide a barrier between other processes. However, a major concern is that the administrator of one container might gain control of the entire host, stealing data or hardware resources from other containers that are also resident on that host. While problematic when being run internally behind a corporate firewall, this becomes a showstopper with any application that is accessible by third parties.”
The container ecosystem is taking those concerns to heart, with, for instance, security a big focus of the latest Kubernetes 1.7 container orchestration platform release.
Some of those security enhancements include encryption of an open source distributed key value store used by Kubernetes; more control over network policy for pod-to-pod communications; a node authorizer to limit container access; and updates to client/server certification rotation.
Google, for one, was quick to take advantage of the updates to its Google Cloud Enterprise (GKE) service. GKE is the abstraction layer orchestrating container management for the Google Cloud Platform (GCP).
Google said the security updates include restricting application programming interface (API) access to resources only required to run an operation; user control over which sets of containers can communicate with each other; and control over encryption for content transported between the cloud infrastructure and the Google Cloud Load Balancing (GCLB) service.
Containers vs. VMs
An alternative approach to enforce isolation and increase container security is to run containers within hypervisor-based virtual machines, although this mitigates some of the performance advantages of containers. Vendors explained that while this method can provide for greater security, it might be more than what’s needed for most container use models.
“Containers today don’t have the same level of isolation as a virtual machine,” explained Mark Balch, VP of product and marketing at Diamanti. “But there is a large continuum between ‘I don’t care about security,’ and ‘I need 100 percent security guaranteed.’ As people become more educated on what those differences are, they will become more comfortable in running in fully containerized environments instead of VMs.”
Twistlock CTO John Morello, said security platforms also need to remain cognizant of container resource efficiencies.
“We are being small and efficient with the tools that are being used,” Morello said. “That includes not installing hardware in each host, and instead just running another container. This allows for a very predictable way to monitor performance and security.”
Enterprises appear to be coming around when it comes to confidence in container security. Gartner said it believes that, “by 2019, 90 percent of enterprises will consider properly secured container deployments as secure as virtual machines, up from less than 20 percent in 2016.”
As with many security platforms, Gartner explained that container security concerns are often due to the deployment method and not necessarily the technology itself.
“Containers are not inherently unsecure, but they are being deployed in an unsecure manner by developers, with little or no involvement from security teams, and little guidance from security architects,” the analyst firm said. “Traditional network and host-based security solutions are blind to containers.”
Gartner indicated companies focused on the container security space are leading the way in terms of innovation, a notion echoed by Cowen and Company.
“While we have not seen much interest yet from established network security providers (we find this somewhat surprising, given the increased reliance on networks that containers bring), new container-specific security [companies] have been cropping up,” Cowen and Company noted. The firm named Aqua Security, Layered Insight, and Twistlock as some of the container-specific security companies it’s watching.
Steps Toward Container Security
While security challenges remain, there is plenty of guidance for enterprises looking to diminish the risk.
Twistlock’s Morello was a contributor to a recent Application Container Security Guide released by the National Institute of Science and Technology (NIST).
“The guide is designed to provide a diverse set of readers, from engineers to CISOs, with a clear understanding of the threat model and recommended defenses for a cloud native environment,” Morello explained of the guide.
Forrester in a recent report provides 10 steps to bolster container security. They include tips on installing security into the container during development; securing the container during testing and modification; and ways to monitor and guard containers in production.
Forrester also said it sees container security consolidating around leading orchestration platforms like Docker Inc.’s Enterprise Edition and Kubernetes; cloud-native container platforms such as Google, Amazon EC2 Container Service, Microsoft Azure, and Bluemix; and host operating system providers like Red Hat and Microsoft.