Containers and security—What do you need to know? Is it safe for you and your business to rely on the security of containers, or should you wait before switching to a container-based platform? In this post, we’ll take a look at the current state of container security, and what it means for your business.
Containers vs VMs
First, though, let’s do a quick recap of containers vs. virtual machines.
Depending on who’s doing the talking, containers are either the next stage in the evolution of software deployment, supplanting virtual machines, or they are the stripped-down alternative to virtual machines, to be deployed when and where circumstances warrant their use.
While a virtual machine is effectively encapsulated and walled off from the host system, containing both the operating system and the software to be delivered, a container consists of the software payload plus the resources to which it needs to have direct access, relying on the host system for most other resources.
A virtual machine hypervisor manages deployment and at the same time functions as a firewall between VMs and the host system, while a container engine manages not only deployment, but also each container’s access to host resources.
The most obvious advantage of containers is that they are lightweight. They don’t require a guest operating system, and they contain only the binaries and libraries required by the payload application. They take up less space in memory than virtual machines, and they are quicker to deploy. A container can be spawned for a specific purpose, then destroyed immediately after it has carried out the required operation.
From a security point of view, the major disadvantage of containers in comparison to virtual machines is that they are dependent on the resources of the host system. A container engine can manage the interactions between the container and the host OS, but it does not lend itself easily to the kind of firewall functions that are a basic part of a VM hypervisor.
There is also the matter of technological maturity. Virtual machine technology has been around long enough that most of its basic security issues have been defined, analyzed, and addressed. Containers are still new enough so that some security questions, at least, are still in the definition-and-analysis phase. Consider the following:
- Direct interaction with the host OS. Because containers are dependent on the host operating system’s resources, they provide attackers with a potential point of entry into the host system. Since containers can be created from images stored in a library, the security and quality of a container is only as good as that of the library from which it was drawn.
- Potentially greater vulnerability to attack through the container engine. By necessity, the container engine has a high level of interaction with the container’s internal processes (as opposed to a virtual machine’s hypervisor, which can effectively insulate the virtual machine from the host OS). Every point of contact between the container’s internal processes and the host’s resources is a potential target of attack.
- Less inter-application isolation. This represents another kind of vulnerability which arises largely out of the container’s dependence on the host OS. When containers share host resources, a vulnerability on one container can become a point of entry for an attack on other containers.
Container Security Now
At this point, however, container security has progressed to the point where many of the key issues can be addressed on a practical level, even if their full ramifications are still being worked out. There are three major factors which have led to improved container security:
- Greater security built into (or packaged with) container engine systems. Docker, for example, has put in place a variety of measures to tighten container security. These include signed images, a repository-scanning system, and namespaces, which provide tight security controls for container payloads. Other container-management platforms have instituted their own security systems, including CoreOS’ Distributed Trust Computing, which uses cryptography-based checks of container and system integrity.
- Adaption of existing security applications and features to cover containers. In many ways, this trend is as important as the development of new/system-specific container security features. Linux and other host systems have their own, often very rich security and authentication resources, and it is only natural that container-management systems would become increasingly integrated with such standard authentication features. Docker has incorporated Linux’s seccomp, which allows processes and applications to be firewalled from system resources, and Docker is involved in an ongoing effort to integrate widely used authentication mechanisms such as LDAP and Kerberos. As this process continues, container security will come to more closely resemble VM security, and system security as a whole.
- Third-party security solutions designed specifically for containers. Third-party vendors have been working on a number of applications designed to address security needs that are specific to containers. These include systems for scanning containers in- depth for security issues, as well as comprehensive systems for monitoring deployed containers and payloads, enforcing container security standards, and providing real-time protection for deployed containers.
Ready or Not?
How does this all add up in terms of security for your business and your software? Is container security ready for prime time, or is it better to wait a bit longer before switching to a comprehensive container-based solution?
Ultimately, of course, the decision must be based on the specific circumstances and security needs of your business. Overall, however, container security is good, and getting better. Docker, for example, includes seccomp filtering, container image signing, and root capability dropping as defaults, and allows namespaces as an option, which provide a solid basis for effective security, with resources in place for both strong container isolation and container/image verification.
Combined with the existing third-party applications for scanning, monitoring, and protecting deployed containers, current container security features are more than adequate for the needs of both business and institutional container users.
Containers and security—The tools are in place and ready to use. If you’ve been waiting for the right moment to shift to containers, now may be the time to move.