As containers take off, so do security concerns

Containers offer a quick and easy way to package up applications but security is becoming a real concern

Page 2 of 2

"In other words, three out of every four images created this year have vulnerabilities that are relatively easy to exploit with a potentially high impact," wrote founder Yoshio Turner in the report.

In August, Docker announced the release of the Docker Content Trust, a new feature in the container engine that makes it possible to verify the publisher of Docker images.

"It provides cryptographic guarantees and really leapfrogs all other secure software distribution mechanisms," Docker's McCauley said. "It provides a solid basis for the content you pull down, so that you know that it came from the folks you expect it to come from."

Red Hat, for example, which has its own container repository, signs its containers, said Red Hat's Bressers.

"We say, this container came from Red Hat, we know what's in it, and it's been updated appropriately," he said. "People think they can just download random containers off the Internet and run them. That's not smart. If you're running untrusted containers, you can get yourself in trouble. And even if it's a trusted container, make sure you have security updates installed."

Security and management

According to Docker's McCauley, existing security tools should be able to work on containers the same way as they do on regular applications, and also recommended that companies deploy Linux security best practices.

Earlier this year Docker, in partnership with the Center for Information Security, published a detailed security benchmark best practices document, and a tool called Docker Bench that checks host machines against these recommendations and generates a status report.

However, for production deployment, organizations need tools that they can use that are similar to the management and security tools that already exist for virtualization, said Eric Chiu, president and co-founder at virtualization security vendor HyTrust.

"Role-based access controls, audit-quality logging and monitoring, encryption of data, hardening of the containers -- all these are going to be required," he said.

In addition, container technology makes it difficult to see what's going on, experts say, and legacy systems can't cut it.

"Lack of visibility into containers can mean that it is harder to observe and manage what is happening inside of them," said Loris Degioanni, CEO at Sysdig, one of the new vendors offering container management tools.

Another new vendor in this space is Twistlock, which came out of stealth mode in May.

"Once your developers start to run containers, IT and IT security suddenly becomes blind to a lot of things that happen," said Chenxi Wang, the company's chief strategy officer.

Say, for example, you want to run anti-virus software. According to Wang, it won't run inside the container itself, and if it's running outside the container, on the virtual machine, it can't see into the container.

Twistlock provides tools that can add security at multiple points. It can scan a company's repository of containers, it can scan containers just as they are loaded and prevent vulnerable containers from launching.

"For example, if the application inside the container is allowed to run as root, we can say that it's a violation of policy and stop it from running," she said.

Twistlock can monitor whether a container is communicating with known command-and-control hosts and either report it, cut off the communication channel, or shut down the container altogether.

And the company also monitors communications between the container and the underlying Docker infrastructure, to detect applications that are trying to issue privileged commands or otherwise tunnel out of the container.

Market outlook

According to IDC analyst Gary Chen, container technology is still new that most companies are still figuring out what value they offer and how they're going to use them.

"Today, it's not really a big market," he said. "It's still really early in the game. Security is something you need once you start to put containers into operations."

That will change once containers get more widely deployed.

"I wouldn't be surprised if the big guys eventually got into this marketplace," he said.

More than 800 million containers have been downloaded so far by tens of thousands of enterprises, according to Docker.

But it's hard to calculate the dollar value of this market, said Joerg Fritsch, research director for security and risk management at research firm Gartner.

"Docker has not yet found a way to monetize their software," he said, and there are very few other vendors offering services in this space. He estimates the market size to be around $200 million or $300 million, much of it from just a single services vendor, Odin, formerly the service provider part of virtualization company Parallels.

With the exception of Odin, most of the vendors in this space, including Docker itself, are relatively new startups, he said, and there are few commercial management and security tools available for enterprise customers.

"When you buy from startups you always have this business risk, that a startup will change its identity on the way," Firtsch said.

This story, "As containers take off, so do security concerns" was originally published by CSO.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
| 1 2 Page 2
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.