Containers / Security / Contributed

Security Concerns Around Rapid Container Growth

5 Aug 2019 6:00am, by

There’s a reason containers have fundamentally altered the way organizations develop and deploy applications. Containers provide a variety of significant benefits — application portability, accelerated deployment through CI/CD (continuous integration/continuous deployment) pipelines, and massive scalability. Technology is often a double-edged sword, though, and containers are no exception. There are also serious security concerns that need to be considered and addressed in order to use containers effectively.

Containers are still made up of lines of code. They interact with other containers and backend infrastructure. They execute commands and access data. That means containers are an attractive target for attackers and need to be protected, but the dynamic nature and sheer volume of containers can also make container security challenging.

Explosive Growth of Containers

Asif Awan
As Chief Technology Officer for Container Security at Qualys, Asif Awan is responsible for the overall vision, strategy and roadmap of the container security offerings. He came into Qualys through the acquisition of Layered Insight. He was the Founder & CTO of Layered Insight and led the product vision and strategy. He is a passionate cybersecurity entrepreneur with a broad business and technology expertise that spans enterprise, healthcare and financial domains, and cloud, mobile and deep learning technologies. Asif has a master's degree in Artificial Intelligence and a bachelor's in Computer Science.

Containers have brought more disruption than virtual machines (VMs) did when they were introduced. VM disruption was limited to the infrastructure layer, but containers have a ripple effect that extends much farther. The beauty of a container is that everything that is needed or relied on is packaged within itself for complete portability.

The container revolution has also sparked the development of new, slimmed-down container-optimized operating systems and serverless environments. Given the fact that anything a containerized application needs is carried within itself, it requires very few systems resources — all it needs is a kernel.

Containers have been one of the hottest trending technologies for a few years now, but we are still on the early end of container adoption. A 2018 report from 451 Research predicts a 30 percent annual growth rate for the container market by 2022. Nearly one-in-five organizations were using containers at the time of the report, with another 29 percent of those surveyed actively pursuing implementation over the next two years.

The rapid growth of the container market should not come as a surprise. When you consider the advantages containers provide in terms of accelerating development, portability, deployment, agility, and scalability, it’s actually somewhat surprising that just over half of the organizations surveyed by 451 Research had no immediate plan or interest in pursuing containers.

Container Security Concerns Drive Reluctance

As popular as containers are, organizations still have concerns—including security—that are holding back broader adoption. More than 40 percent of the companies surveyed for the 2018 Container Adoption Benchmark Survey from Diamanti reported that they are not running containers in a production environment. Of those running containers in a production environment, more than 22 percent stated that security is the biggest challenge they face.

Many organizations are still trying to make the transition to a DevOps environment and cloud infrastructure — each of which has its own unique security considerations. Traditional network security tools are not equipped to work effectively in a cloud or hybrid environment, and in many cases, IT teams are struggling to address that challenge. Throwing containers into the mix — especially in a production environment with access to live, sensitive data — can be understandably daunting.

RunC Vulnerability Demonstrates Challenges with Container Security

Concerns about the potential risk of containers interacting with the underlying operating system and with each other were recently validated when the RunC vulnerability made headlines. A security hole was discovered that could allow an attacker to infect a container with malicious code and ultimately attack the host system the container is running on. It is just the sort of potential doomsday scenario that many organizations are worried about.

RunC is a popular software component that most major container engines use to spin up containers on a host. Kernel-enforced sandboxing policies should theoretically protect against such threats, but this vulnerability is not covered by the default AppArmor or SELinux policies. Thankfully, the exploit is relatively tricky to execute effectively.

Effective Container Security

The benefits and advantages of containers are significant. As more organizations jump on the container bandwagon, it will become a business imperative to follow suit. Failure to do so will allow competitors that have adopted containers to achieve a dramatic strategic advantage. It’s important to understand and address the inherent security concerns of the container so you can get begin to adopt and use them in your production environments.

You don’t want to choose container security solutions that lock you into a specific operating system or platform, or that protect your containers while exposing you to additional unnecessary risk. Container security that requires root privilege access or the ability to install an agent on the underlying host may provide some protection for the containers but create additional issues at the same time.

The fundamentals of container security are relatively straightforward. You should assess how your container environment and operational structure is configured and ensure that your container security meets established benchmarks and best practices. The two most important aspects for container security are to prevent containers from performing any tasks they are not supposed to and to make sure that code within a container is not running with privileges.

Feature image via Pixabay.

A newsletter digest of the week’s most important stories & analyses.

View / Add Comments

Please stay on topic and be respectful of others. Review our Terms of Use.