Data protection for the DevOps era

How do we keep containers secure?

Rami Sass
© Shutterstock / MAGNIFIER

Containers have become a necessary part of modern technology. But what are they and what kinds of security concerns should organizations be aware of? In this article, Rami Sass explores the basics of containers as well as the future of DevSecOps.

Containers have been featured in every trending technologies list for the past few years, and it’s safe to say that they are here to stay. Google, Amazon, Microsoft, and IBM are only a few of the big names leveraging this virtualization technology. Many utilize Docker, the leading container management platform.

What makes containers so attractive to development organizations? What are the security concerns that tech leaders need to take into account before adopting this new technology into their organization? We go over these questions and more.

Containers 101

Application container technologies, or containers, aren’t really as new as all those top 10 lists would have us believe. The technology has actually been built into Unix-type operating systems for decades.

Container technology provides a sandboxed environment for applications to run in by bundling applications. Their dependencies into a unit that can be easily shipped, deployed, and run in isolation of other processes. Each container encapsulates a running application and its user space, and runs on top of the underlying operating system’s kernel.

As a result, a container can be distributed and deployed independently of the host machine, as long as the OS kernel remains the same. Containers free developers from complicated tasks like dependency management and the need to manually set up complex environments. The result is a faster and more reliable development and deployment process.

SEE ALSO: “The latest trend in DevOps is to achieve DevSecOps”

That sounds a lot like a VM

This might sound very similar to the process of running virtual machines. However, containers don’t bundle up the entire operating system the way that virtual machines do. That makes containers substantially leaner and faster than virtual machines.

A hardware setup that can support only a few dozen virtual machines can often run hundreds of containers. A typical container will load in milliseconds, compared to seconds or even minutes for a virtual machine.

What about security?

Container technologies promise easier development and deployment processes. However, while containers provide additional isolation compared to non-virtualized environments, they provide less isolation, and protection than virtual machines.

Organizations adopting container technology should also be aware of the security aspects that come along with it.

Vulnerable container images

Images are a basic part of container technology and part of what makes it so attractive. Developers can create an image or download one from several open source repositories. This is when things get tricky. While the ease of creating and downloading images is part of what makes containers such an automated and flexible process, images might contain security vulnerabilities or even malicious code.

Development teams need to continuously track images throughout the development life-cycle, ensuring they don’t contain any vulnerabilities, and remediating any vulnerabilities when discovered.

SEE ALSO: Containers or VMs? New project inherits speed from containers and security from VMs

Keep an eye on access control

Root privileges inside a container should be handed out with extreme care. It should only be given to those users that require it to perform specific tasks, and best practice is to grant it per task. This minimizes the accounts compromised in the unfortunate case of a malicious attack.

Gaining root access to one container might enable hackers to reach more containers or even the operating system. This is why organizations, system administrators and DevOps teams should put together strict policies regarding access control. They should make sure that they are enforced throughout the development process.

Automate security management

The days of DevSecOps are upon us.

In order to stay on top of container security, it’s imperative to put the right tools and practices in place. Containers may not be a new technology, but their widespread adoption is. Many organizations and development teams are adopting container technologies without adjusting their attitudes and approach to security throughout the development process.

Containers require a DevSecOps approach, where security is tracked and addressed from the earliest stages of the development life-cycle with the appropriate tools and policies in place.  Adopting this approach might mean some changes for Dev teams that at first might seem uncomfortable. Changes rarely are.

However, today there are many automated and continuous tools that will help teams manage all stages and aspects of container security. This allows them to enjoy the benefits of this technology without dealing with manual security checks.

SEE ALSO: “Putting a malfunctioning application into containers does not make it better”

Tighten container security and enjoy the ride

Containers allow development teams to handle and deploy their applications with greater ease, enabling them to deliver innovative and stable products faster. However, if organizations truly want to leverage the power of container technologies, they need to invest in new security practices. This ranges from the automated tools that they use to the policies they put in place early in the development life-cycle.

Investing in continuous security management processes throughout the development life-cycle will allow companies to use promising virtual technology while staying secure.


Rami Sass

Rami Sass is CEO and co-Founder of WhiteSource. Rami is an experienced entrepreneur and executive with vast experience in defining innovative products, leading technology groups and growing companies from seed level to business maturity. Before founding WhiteSource, Rami founded Testology and beforehand, led development efforts at both CA and at Eurekify (Acquired by CA). Rami holds an MsC and a BA in Computer Science.

Inline Feedbacks
View all comments