The use of containers has exploded recently and become integral to application development processes. The trend shows no sign of slowing down, but it raises many new security challenges. This article takes a closer look at these container security issues, why they exist, and the tactics needed to overcome them.
Top Container Security Challenges
Containers offer a logical packaging mechanism in which applications can be abstracted from the environment in which they actually run. This decoupling allows container-based applications to be deployed easily and consistently, regardless of whether the target environment is a private data center, the public cloud, or even a developer’s personal laptop.
Containerization allows development teams to move fast, deploy software efficiently, and operate on an unprecedented scale. As a strategy, containers are taking off in popularity and use. According to data from the 451 Research Group, the container virtualization market will quadruple in size by 2021. Yet as is the case with so many new technologies, containers were not conceived or architected with security in mind.
In this article, we’ll take a closer look at a few common container security issues, why they exist, and what is needed to overcome them.
Uncertainty + limited knowledge = increased container security risk
As organizations rush to containerization—seeking to take advantage of faster application development, efficient deployment and ability to scale—they should expect that cyber attacks containing containers will grow in popularity as well.
No matter how secure containerized systems may appear to be, nothing is truly hack proof. It’s safe to assume that attackers will continue to look for new ways to exploit the virtualization process. As containers continue their march into the IT mainstream, technology leaders will need to provide assurances that their container strategies are a truly viable approach, especially when it comes to security.
Not surprisingly, many cybersecurity professionals believe that the rapid growth and proliferation of containers have led to a number of security issues:
- The fact that containers typically require applications to be broken into smaller microservices, resulting in increased data traffic and complex access control rules.
- Most server workload security solutions do not support similar functionality for containers, requiring the use of separate container security technologies. This adds cost and complexity to safeguard valuable IT assets.
- The need to verify that images stored in container registries meet their organization’s security and compliance requirements. Companies need specialized tools to accomplish this task.
- The lack of mature, proven solutions for container security.
- The potential for “container sprawl” creates loose access controls between containers, which could leave production environments vulnerable. This scenario represents the existing process and management issues that could lead to additional security vulnerabilities.
- Portability makes containers more susceptible to “in motion” compromises. Many security professionals don’t have the right tools to monitor transient containers and microservices as they appear and disappear.
- Finally, containers often run in cloud-based environments with new kinds of security controls. In fact, vulnerabilities in Docker and Kubernetes container management systems have been discovered over the past couple of years.
Fast container deployment can be a double-edged sword
The benefit of container technology is that they accelerate application development and deployment processes, making security updates, upgrades, and vulnerability patching fast and easy. Even better, all of this is possible without changing the underlying nature of the existing applications. For example, applications do not need to adapt to special APIs, libraries, or interfaces.
Yet the speed of deployment can be a challenge, too. Often, there is not enough time for quality assurance or security testing. This means that companies need to go through manual processes of consistently checking that the latest versions of the containers are the ones being used and that all of the code is patched and fully up to date.
More microservices add more complexity
However, with the need to split applications and/or data across microservices, companies now have many services and ports to keep track of and secure. Plus, each one has less information about what’s happening, so it’s difficult to determine if a service or port has been infiltrated.
In a recently published interview in CSO Online, Manish Gupta, co-founder, and CEO of ShiftLeft, explains the issue. “Organizations are breaking their monoliths into smaller and smaller chunks,” he said. “The data flows get so much more complex within the application that it is hard to tell what every microservice does.”
The challenge grows as more critical systems are moved to a software-as-a-service delivery model. “This means that you are concentrating a lot of your data in your apps,” Gupta explained. “Equifax and Uber are great examples of this. Now this very sensitive, very important data is flowing between microservices, and few people have good visibility into it.”
One potential solution: rethinking the DevOps approach
Looking beyond the issue of simply securing the container, it’s important to note that security needs to be built into the application development process much earlier.
For example, if developers are downloading an image from an external source, it must be scanned for vulnerabilities, unpatched code, and any other potential issue—before the container goes live. And even when the container goes live, it becomes challenging to maintain and monitor the state of security for something that is potentially very short-lived and interacts with other components. This means changing the DevOps approach to “SecDevOps” by integrating security practices, tooling, and automation upfront while the application is in development.
To do this well, today’s companies are integrating their teams. For example, security professionals are embedded with application development teams at each step of the way—inception and design all the way to production deployment. These companies are seeing the value—each team expands their skill sets and knowledge base, making them more valuable technologists. In turn, this new approach improves IT security.
Automated security tools are critical to strengthen security efforts
Over and over we hear that using automation is critical to further strengthen any successful data and network security strategy and containers are no different. CSPi’s security solutions, including our ARIA Software-Defined Security (SDS) platform automatically detect containers or VMs as they spawn and by application, device, or data type applies the appropriate encryption policies. This is a critical advantage given the speed and ease at which the DevOps methodology enables applications to deploy, as well as the containers that house them.