Granted, Twistlock handles container security for a living, so Bernstein has a committed interest to one side here. But he put up a pretty good argument earlier this week, when I caught him between meetings at the RSA Conference in San Francisco.
Check out our coverage of the RSA Conference 2016.
His point had to do with microservices. One trend in software development is to carve a service into modular pieces, each of which could inhabit a container. The number of things each microservice ought to be doing is fairly limited, so a security system watching those containers has a pretty easy time knowing if any of them are acting outside the bounds of policy.
By contrast, Bernstein argues, if you did that analysis on a full-blown service, it’s harder to specify what “normal” behavior looks like. The number of pieces interacting has a multiplicative effect.
“So we tell users that with containers, you can actually be more secure,” he says. “We can tell if each process should be happening or not.”
The reason container security gets criticized stems from the fact that multiple containers share a Linux kernel. Penetrating one container to get root access to the kernel would open up all the containers for an attacker.
“The isolation mechanisms, including Linux cgroups and Namespaces, need to be bulked up to provide more firewalling between containers,” writes analyst Scott Raynovich in the SDxCentral report, “Inside the Linux Container Ecosystem.”
Bernstein counters by claiming that a container “jailbreak” has been a theoretical problem so far, not one that’s being exploited in real life. (Keep in mind that containers are still relatively rare in production software deployments.) And, he says, if one particular container seemed like more of a security risk, it could simply be placed on a separate virtual machine.
Twistlock’s security suite monitors containers as they’re phased into existence. It checks them for vulnerabilities but also makes sure they’re behaving within the bounds of IT policy — hence, Bernstein’s point about microservices making policy verification easier.
Twistlock launched in November with the bragging rights of being available on Google Cloud Platform. Now, Amazon Web Services (AWS) is also offering Twistlock, for scanning containers in the EC2 Container Registry that became commercially available in December.
Even some equipment vendors are interested in Twistlock, Bernstein says. They would be producing appliances where software would reside in containers. It would be a way to support continuous integration practices, he claims.
Photo: Random RSA Conference shot by SDxCentral’s own Rob Wilson, on Instagram.