Are containers getting a bad rap for security?

In 2013, when the Docker open-source project released its container engine, Linux containers were typically custom-created and self-managed. But then the technology took off, with a million downloads and about 8,000 Docker-using applications in the first year.

Today, about 40% of companies are using containers in some way, according to a survey conducted by the Enterprise Strategy Group (ESG) in its latest Cloud Security Report. The Docker container technology has been downloaded more than 29 billion times to date, according to Docker.

But security concerns remain. Some 94% of respondents in the ESG study felt that containers negatively affect security. The top concerns included that containers lack mature cybersecurity solutions and that current security solutions require more complex container deployments.

The worries over security have likely hampered adoption, but the need to improve the speed of development has blunted the overall impact. Many application-security professionals also wonder if the concerns are overstated.

Here's why containers are getting maligned on security.

Gartner Magic Quadrant for Application Security Testing 2018

It's a feature, not a bug

Many of the concerns center on new users who may have outdated ideas about the technology or who are still learning about the proper way to secure the technology, said Sam Bisbee, chief technology officer of security provider Threat Stack, which sponsored the ESG report.

For one thing, he said, many IT professionals still equate the resource isolation provided by containers with the process isolation provided by virtual machines. "There are people who are implementing containers who see them as virtual machines, but people don't realize that containers do not come with the same security built in—and that was a design choice," he said.

"I don't think a lot of people who are deploying containers necessarily realize the difference."
Sam Bisbee

Popularity as a plague

The concerns are, in many ways, a result of the popularity of containers. With companies continuing to adopt agile development methodologies and continuous-integration and continuous deployment (CI/CD) processes for deploying applications to the cloud, containers have rocketed in popularity.

In 2017, a third of companies surveyed by cloud management firm RightScale had already deployed Docker containers, while another third planned to do so in the future.

Containers help separate the applications from the infrastructure, making development easier and more predictable and allowing a simpler, more consistent deployment environment. Yet security needs to be considered up front, said independent cloud expert David Linthicum.

"Security is typically an afterthought. We are just not thinking about and baking in security. … We do this every time we adopt new technology."
David Linthicum

The concerns over container security are likely overstated, but companies need to consider the security of the application during development, he said.

Other security experts believe that containers are getting a bad security rap. The companies that are deploying containers are mostly cognizant of what they can and cannot do—and most understand that containers do not provide the same level of isolation as virtual machines, said John Morello, chief technology officer at cloud security firm Twistlock.

Containers: Security-neutral tech

Containers are more minimal, more declarative, and more predictable—characteristics that provide real security benefits if you adapt your tools and processes to take advantage of them, Morello said.

"Containers are neither inherently good nor evil from a security standpoint—they’re a tool that, if you use them well, you’ll benefit. [Used poorly, they] can cause harm, like pretty much everything else in IT."
John Morello

Morello argued that, because containers are more minimal than virtual machines, they can be modeled and white-listed more easily. At the same time, because containers are also declarative, operations specialists can practically parse a single file and know what the file contains.

Finally, because containerized applications are much more predictable at runtime, companies can easily prevent anomalies with whitelisting rather than trying to detect good and bad behavior with static signatures.

Every company using containers should consider security right out of the gate, especially if the tech is deployed as part of a highly automated DevOps pipeline, said cloud expert Linthicum.

"If you are going to iterate your way to security, start now. Security is systemic in DevOps. It needs to be built into the app, built into the design."
—Linthicum

Group and go, maybe

To offset the fact that containers do not use isolation as a security feature, companies should group containers with the same sensitivity levels and on the same host, Morello said. The National Institute of Standards and Technology has released its own Container Security Guide to help companies securely deploy the technology.

"This zoning model has been used for many years in IT for segmenting data and resources and compartmentalizing risk," Linthicum said. "Many organizations already do it for their VMs."

Not all companies will be able to collect apps into a single server group. For companies with large deployments, securely deploying containers will require a lot more design consideration and focus, and they should expect that, said Threat Stack's Bisbee. In addition, companies should automate the monitoring and analysis of their infrastructure to quickly detect anomalous activity and misconfigurations.

Don't start DevOps here

Companies need to consider whether they should adopt containers now or wait until their development process is more mature, said Bisbee. Companies that are just starting out should not begin with trying to adopt containers. Both DevOps and CI/CD can be accomplished without the technology, he said.

"If I was going to start a company tomorrow, the first problem I would want to solve is not how to deploy and operationalize containers. People tend to adopt technology like containers too early because of the trendiness of it."
—Bisbee

The trend is clear, however: Containers and other technologies that allow for fast development and deployment of applications are the future. While companies should not adopt the technology without need, they should consider a pilot program to test the technology and explore deployment options. Only then can the developers and ops team determine whether containers are a good fit for the company's development model.

 

Topics: Security