- Portability between different platforms and clouds
- Efficiency through using far fewer resources than virtual machines and delivering higher utilization of compute resources
- Agility that allows developers to integrate with their existing DevOps environment
- Higher speed in the delivery of enhancements
- Faster app start-up and easier scaling
- Easier management
- Improved security by isolating applications from the host system and from each other
What Are Containers?“Everything at Google runs on containers,” according to a report on the company’s website. “Containerization allows our development teams to move fast, deploy software efficiently and operate at an unprecedented scale.” Google reports that it starts over two billion containers, every week. But what are they? Here are several definitions. A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another. A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings. — Docker, a major player in container technology Containers are lightweight software components that bundle the application, its dependencies, and its configuration in a single image, running in isolated user environments on a traditional operating system on a traditional server or in a virtualized environment. — IBM, Rajeev Gandhi and Peter Szmrecsanyi Containers are a solution to the problem of how to get software to run reliably when moved from one computing environment to another. This could be from a developer's laptop to a test environment, from a staging environment into production, and perhaps from a physical machine in a data center to a virtual machine in a private or public cloud. — CIO.com, “What are containers and why do you need them?” Containers offer a logical packaging mechanism in which applications can be abstracted from the environment in which they actually run. This decoupling allows container-based applications to be deployed easily and consistently, regardless of whether the target environment is a private data center, the public cloud, or even a developer’s personal laptop. — Google, “Containers 101”
A Closer Look at Container SecurityAs container adoption continues to grow, a strong focus on security is an absolute must. In 2018, some 60% of organizations that use containers suffered a container-related security incident, according to a Tripwire survey. Along with this finding from respondents representing hundreds of organizations that currently have containers in production came several additional concerning statistics:
- 47% said they deployed containers known to have vulnerabilities, and
- 46% admitted they deployed containers without knowing whether or not they had vulnerabilities.
- Rethink your organization’s operational culture and technical processes to support the new way of developing, running and supporting applications made possible by containers. Adopting containers might be disruptive to your existing culture and development methodologies, and your current practices might not be directly applicable in a containerized environment. Encourage, educate and train your team to rethink how they code and operate.
- Use container-specific host OSs instead of general-purpose ones to reduce attack surfaces. A container-specific host operating system is a minimalist OS designed to only run containers. Using these OSs greatly reduces attack surfaces.
- Only group containers with the same purpose, sensitivity and threat posture on a single host OS kernel to allow for additional in-depth defense. Segmenting containers provides additional defense-in-depth. Grouping containers in this manner makes it more difficult for an attacker to expand potential compromises to other groups. It also increases the likelihood that compromises will be detected and contained.
- Adopt container-specific vulnerability management tools and processes for images to prevent compromises. Traditional tools make many assumptions that are misaligned with a containerized model and are often unable to detect vulnerabilities within containers. Adopt tools and processes to validate and enforce compliance with secure configuration best practices for images, including centralized reporting, monitoring each image and preventing non-compliant images from being run.
- Consider using hardware-based countermeasures to provide a basis for trusted computing. Extend security practices across all tiers of the container technology by basing security on a hardware root of trust, such as the Trusted Platform Model (TPM).
- Use container-aware runtime defense tools. Deploy and use a dedicated container security solution capable of monitoring the container environment and providing precise detection of anomalous and malicious activity within it. The most efficient way to ensure security at scale is to integrate security functions and procedures into each phase of development and deployment.
Container Security [Additional Resources]Here is a round-up of additional resources from industry websites, public agencies and container security solutions providers:
- National Institute of Standards & Technology — Application Container Security Guide
- TechBeacon — “Container Security: What You Need to Know About the NIST Standards”
- StackRox - Docker Container Security 101: Risks and 33 Best Practices
- RedHat — “What Is Container Security?”
- Hewlett Packard Enterprise — “5 Ways to Secure Your Containers”
- Tripwire State of Container Security Report
- Securing the Entire Container Stack, Lifecycle and Pipeline
About the Author: Michelle Moore, Ph.D., is academic director and professor of practice for the University of San Diego’s innovative, online Master of Science in Cyber Security Operations and Leadership program. She is also a researcher, author and cybersecurity policy analyst with over two decades of private-sector and government experience as a cybersecurity expert. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc