The Security Challenges of Enterprise Container Adoption

Written by

The container adoption wave has swept across the US over the last five years and has been gaining traction in Europe, the Middle East and Asia.

The blending of development and operations processes into DevOps has also changed the way software is deployed from a traditional waterfall development model to one that is agile, dynamic and elastic. As a result, the attack surface is constantly evolving and traditional virtual machines (VMs) no longer offer the level of flexibility and reliability needed to keep pace with today’s changing software environment.

Known as the next generation of virtualization, containers solve the ongoing challenge of trying to get software to run reliably when moved from one computing environment to another.

These modern applications are the total software package: lightweight and portable, with everything needed at runtime: code, system tools and libraries. And while containers are similar to VMs, they are much smaller and more efficient, able to run on almost any computer, infrastructure or cloud. Unlike VMs though, containers use shared operating systems and thus do not overwhelm the system resources. Furthermore, hundreds or potentially thousands of containers can run on just one server, saving valuable data center budget.

At the moment, containerization is increasingly being used for web services, such as Google Apps, but its applicability is forecasted to grow rapidly across various sectors, including the government.

Containers are cool, but are they secure?

Of the key strengths of containers is their ability to be spun up and down almost instantly, however, this has also become a serious security challenge. One of the big issues is the lack of visibility into the container itself, largely because of its short lifespan, which can run from a few hours to a few days, and the application’s ability to be instantly deleted or replaced.

Containers are also less isolated from one another. This means that it’s more difficult to ‘talk’ to individual containers, unlike talking to a virtual host. As a result, security teams are not able to see the code that’s running and whether there are any issues with it. This usually means that they are not scanned for vulnerabilities before or after being deployed to production. Indeed, visibility is a key element in the ability to assess risk and build an effective remediation and patching plan.

According to the Tenable 2017 Global Cybersecurity Assurance Report Card, only 52 percent of responding security professionals felt that their organization had a handle on how best to assess risks within container environments. Therefore, securing containers has become a top priority for organizations that want visibility into their entire network in order to understand their level of risk and exposure.

How can organizations secure container environments?

Organizations have struggled to continuously assess container engines like Docker, or similar platforms, simply because traditional security approaches fall short in today’s dynamic and boundary-less modern IT environment. Network-based security simply won’t suffice in the new app-centric enterprise, and will require a fundamental shift in how organizations think about cyber risk and how they ‘do’ security.

The good news is that as containers have grown in popularity, so too have the tools available to help secure them. The only way to ensure security in production is to rule out possible container-based vulnerabilities during the build cycle, and prior to deployment. Besides, security teams need real-time, on-the-fly security auditing and continuous monitoring in the development pipeline itself, without slowing down the DevOps process.

Introducing security into the DevOps process, at the same speed as DevOps, is starting to gain momentum as organizations transition into DevSecOps. In other words, container images need to be scanned as they’re built, before they can reach production and at the same speed they are being developed. This way, organizations can reduce their level of threat exposure and risk, ensuring their container images are secure without disrupting innovation cycles.

This is part of a series of blogs, written exclusively for Infosecurity by Tenable. See other entries here

What’s hot on Infosecurity Magazine?