Confusion by organizations and vendors over just what is needed to support container deployments could be limiting efforts to properly secure those deployments. Containers are considered secure because of their basic construct. They are small, and they often exist for only a brief period of time. Plus, specific platforms can be deployed to further bolster container security throughout their existence.
These include container security services from vendors like CloudPassage. The company recently added its container-focused Container Secure product into its core Halo platform. The new addition secures container images, the running containers, and the container engine or host.
Alok Ojha, senior director of products at CloudPassage, noted that containers and its ecosystem “represent an entirely new attack surface that is disrupting security and compliance processes as they are gaining rapid adoption.”
Ojha explained that while containers themselves have a small attack vector, if a specific image used to construct a container is attacked, it could be spread to the entire container cluster. He did explain that while that could lead to a widespread attack, that sort of attack should be easy to fix as only a single image needs to be taken care of.
Bruce Mathews, senior solutions architect at Mirantis, recently noted that while proponents tout security advantages tied to their smaller operating environment, vulnerabilities remain, and organizations will want more experience with the platform before taking the plunge.
“There are a bazillion new ways to get into the namespaces that are running containers,” Mathews said. “That’s an area where the vulnerability will hold back the adoption of containers until it’s fully addressed.”
Organization, Vendor Confusion
However, many organizations are still going about their container deployments without really knowing what the impact might be on their current security policies.
Ojha said he is seeing some large organizations attempting to literally forklift operation into a container environment. Notwithstanding the fact these typically include way more information than a container can use, it also often includes legacy security policies that don’t fit into a container environment.
“They are moving basically everything over to their container deployments,” Ojha said. “We are seeing some containers running with one or two gigs’ worth of data inside of them. … A good chunk of the market is still dabbling with containers, still trying to figure out how current policies can be adapted and reformatted into the container world.”
Ojha said vendor support for such moves is also lacking, with many of the current solutions not accounting for real-world scenarios.
“Vendors are talking a lot about securing containers, but many are not really acting in a realistic way to make it possible,” Ojha said, noting a lack of insight into possible legacy systems. “Others have gone too deep where only one-tenth of 1 percent of the market needs or can use their offering.”
This has driven some to develop security platforms more specific to the needs of certain verticals.
Capital One Financial recently released a beta version of its Critical Stack container orchestration platform promising increased security compared with traditional offerings. The platform is compatible with Kubernetes, though Critical Stack President Liam Randall said Kubernetes continues to lack the depth of support for more detailed deployments.
“Kubernetes solves the first half of the container orchestration challenge for the enterprise,” Randall said. “If you’re an enterprise, you’ve got a whole host of other concerns that remain unanswered that you must solve – security, compliance, and enterprise integration.”
Security has been central to a number of recent updates from the Kubernetes community. This has come on the heels of rapidly expanding interest in the container orchestration platform from across numerous verticals.
Ojha said he thinks the increased attention on Kubernetes should help bolster the ecosystem and security options. “The management layer needs to mature, and the broader adoption of Kubernetes is helping the ecosystem to thrive and grow,” he said.
Despite the noted security threats and challenges, enterprises appear to be growing in confidence when it comes to container security. Gartner recently said it believes that, “by 2019, 90 percent of enterprises will consider properly secured container deployments as secure as virtual machines, up from less than 20 percent in 2016.”