Continuous Container Security – Is it Mission Impossible?

This blog compliments my November 20^th webinar, Virtualization and Container Security. Is it ‘Mission: Impossible’?, which you can watch on-demand here.

While containers have only recently become pervasive, the initial notion of a container goes all the way back to 1979 with the chroot command in Version 7 Unix. Chroot changes the apparent root directory for the current running process and its children. In 2005, Sun Microsystems introduced Solaris Containers. And the technology world was forever changed (for the better) a decade ago with Linux Containers (LXC), which evolved into Docker.

Some of the benefits of containers over regular applications include:

• smaller codebases
• quicker to be instantiated
• greater modularity
• enable an order of magnitude speedup of workload start-up, thereby enabling greater agility in the development process

But if an enterprise’s underlying security is weak and plagued with vulnerabilities, it is unlikely to reap much benefit from containerization. Furthermore, the primary goal of abstraction technologies, such as virtualization and containers, is to optimize resource efficiency and provide agility. Security is not the main consideration. But this does not necessarily mean that virtualization and container technologies can’t be secure. In fact, they can be quite secure.

Perhaps the most important key for success with using containers is to create a container platform strategy. This strategy should define the baseline requirements for security controls, monitoring, logging, data persistence, networking (and much more), and lifecycle management of containers that are prerequisites for production environments.

Some of the core elements that need to be built into the strategy include (but are by no means limited to):

• Host isolation
• Access control
• Operating system hardening
• Container image Scanning
• Logging
• Monitoring
• Incident response
• Signing
• Encryption

Containers provide isolation for applications from their host and from each other, while minimizing use of resources of the underlying infrastructure and reducing the surface area of the host itself. Containers and virtual machines (VMs) can be deployed together to provide additional layers of isolation and security for selected services. Docker is the largest containerization vendor, and it provides the most complete set of security capabilities with strong defaults in container technology.

While applications packaged in containers are fundamentally more secure by default, the key to achieving and maintaining these higher levels of security is to ensure that all of the necessary security controls are formalized and baked into your container environment.

To learn more insights into how to more effectively improve container and virtualization security, watch my on-demand webinar: Virtualization and Container Security. Is it ‘Mission: Impossible’?