As containers take off, so do security concerns

Containers offer a quick and easy way to package up applications but security is becoming a real concern

stacked shipping containers
Credit: Tristan Taussac

Containers offer a quick and easy way to package up applications and all their dependencies, and are popular with testing and development.

According to a recent survey sponsored by container data management company Cluster HQ, 73 percent of enterprises are currently using containers for development and testing, but only 39 percent are using them in a production environment.

But this is changing, with 65 percent saying that they plan to use containers in production in the next 12 months, and cited security as their biggest worry. According to the survey, just over 60 percent said that security was either a major or a moderate barrier to adoption.

Containers can be run within virtual machines or on traditional servers. The idea is somewhat similar to that of a virtual machine itself, except that while a virtual machine includes a full copy of the operating system, a container does not, making them faster and easier to load up.

The downside is that containers are less isolated from one another than virtual machines are. In addition, because containers are an easy way to package and distribute applications, many are doing just that -- but not all the containers available on the web can be trusted, and not all libraries and components included in those containers are patched and up-to-date.

According to a recent Red Hat survey, 67 percent of organizations plan to begin using containers in production environments over the next two years, but 60 percent said that they were concerned about security issues.

Isolated, but not isolated enough

Although containers are not as completely isolated from one another as virtual machines, they are more secure than just running applications by themselves.

"Your application is really more secure when it's running inside a Docker container," said Nathan McCauley, director of security at Docker, which currently dominates the container market.

According to the Cluster HQ survey, 92 percent of organizations are using or considering Docker containers, followed by LXC at 32 percent and Rocket at 21 percent.

Since the technology was first launched, McCauley said, Docker containers have had built-in security features such as the ability to limit what an application can do inside a container. For example, companies can set up read-only containers.

Containers also use name spaces by default, he said, which prevent applications from being able to see other containers on the same machine.

"You can't attack something else because you don't even know it exists," he said. "You can't even get a handle on another process on the machine, because you don't even know it's there."

However, container isolation doesn't go far enough, said Simon Crosby, co-founder and CTO at security vendor Bromium.

"Containers do not make a promise of providing resilient, multi-tenant isolation," he said. "It is possible for malicious code to escape from a container to attack the operation system or the other containers on the machine."

If a company isn't looking to get maximum efficiency out of its containers, however, it can run just one container per virtual machine.

This is the case with Nashua, NH-based Pneuron, which uses containers to distribute its business application building blocks to customers.

"We wanted to have assigned resourcing in a virtual machine to be usable by a specific container, rather than having two containers fight for a shared set of resources," said Tom Fountain, the company's CTO. "We think it's simpler at the administrative level."

Plus, this gives the application a second layer of security, he said.

"The ability to configure a particular virtual machine will provide a layer of insulation and security," he said. "Then when we're deployed inside that virtual machine then there's one layer of security that's put around the container, and then within our own container we have additional layers of security as well."

But the typical use case is multiple containers inside a single machine, according to a survey of IT professionals released Wednesday by container security vendor Twistlock.

Only 15 percent of organizations run one container per virtual machine. The majority of the respondents, 62 percent, said that their companies run multiple containers on a single virtual machine, and 28 percent run containers on bare metal.

And the isolation issue is still not figured out, said Josh Bressers, security product manager at Red Hat.

[ ALSO ON CSO: For containers, security is problem #1 ]

"Every container is sharing the same kernel," he said. "So if someone can leverage a security flaw to get inside the kernel, they can get into all the other containers running that kernel. But I'm confident we will solve it at some point."

Bressers recommended that when companies think about container security, they apply the same principles as they would apply to a naked, non-containerized application -- not the principles they would apply to a virtual machine.

"Some people think that containers are more secure than they are," he said.

Vulnerable images

McCauley said that Docker is also working to address another security issue related to containers -- that of untrusted content.

According to BanyanOps, a container technology company currently in private beta, more than 30 percent of containers distributed in the official repositories have high priority security vulnerabilities such as Shellshock and Heartbleed.

Outside the official repositories, that number jumps to about 40 percent.

Of the images created this year and distributed in the official repositories, 74 percent had high or medium priority vulnerabilities.

1 2 Page 1
Shop Tech Products at Amazon