Containers (such as Docker) are receiving a lot of attention. One of the most critical areas of difference between containers and traditional virtual machines (VMs) is around security. There is nothing inherently insecure or dangerous about containers in the data center. Containers provide excellent segmentation and isolation and – with proven security best practices – can operate in a highly secure manner. However, there are two fundamental differences between containers and VMs that must be considered.
First, containers do not include all the agents organizations typically use to secure VMs. For example, a VM may have anti-malware, intrusion prevention/detection and other software running to protect itself from threats. A container is typically ‘just the app,’ running as lightweight and streamlined as possible, without these additional security protections.
Secondly, the usage pattern of containers is typically to componentize an app into micro-services and run these micro-services in their own containers. Because of this pattern, a given app may be composed of many hundreds of containers. Thus, a mistake in the configuration or a vulnerable component can result in many hundreds of compromised systems. Since these containers typically don’t have all the security agents in them that a full VM often has it’s easy to end up with a large attack surface across an app’s landscape.
…demand a security policy expression and enforcement tool….”
Here are some fundamental security needs that organizations using containers must keep in mind:
Consider the risks of deploying insecure apps and configurations in containers. Traditional vulnerability management tools are not designed to provide intelligence about containerized environments, and the large numbers of containers in a typical deployment makes it difficult to manage vulnerabilities at scale.
Because containers are frequently used in a continuous integration practice throughout the development lifecycle, it is easy for vulnerabilities and workarounds that are created in development to persist into production.
Since containers are so portable, they may be moved and deployed across a wide variety of environments, from developer workstations to private clouds to public clouds. It is important for organizations using containers to also provide, inspect and protect not only the containers themselves, but also the environments in which they run.
To solve these problems in a way that scales with containers, organizations need a solution that is built for the container pattern and aligned at the unique times for which the security is required. Those developing within containers need a security solution designed specifically for containerized computing that provides vulnerability management and policy enforcement throughout the development lifecycle and across all the environments where a container may run.
Approach this implementation with vulnerability management in mind that has CVE-based inspection and analysis of hosts, containers and their content. As well, demand a security policy expression and enforcement tool. Finally, shepardize all the data your monitors observe and act on central logging tools using open standards.
Containers are unquestionably a disruptive force in the industry and are empowering organizations to more quickly develop services. Although they provide security isolation, they are not a security solution in and of themselves. This development tool requires specifically designed security for this new computing model to allow organizations to more securely operate and scale these containerized computing environments, throughout the development lifecycle and across all the environments in which they run.
John Morello is an enterprise security veteran with more than 15 years in enterprise security and infrastructure.