This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
In a nod to the benefits of containers, the financial services giant Goldman Sachs Group has announced it's in the midst of a year-long project to move 90% of its software into containers. The shift involves some 5,000 applications as well as the firm's software infrastructure.
As reported in The Wall Street Journal, Don Duet, the co-head of Goldman Sachs' technology division, says this move will create a better software environment for his company. The staff of more than 8,000 software developers can focus on creating new products and tools, while the runtime process is automated, thus reducing labor and infrastructure costs. In addition, the use of containers will create standards for packaging and distributing different kinds of software.
I should note that Goldman Sachs has a financial investment in Docker Inc., the dominant player in the container space today. Thus if the investment firm's migration to Docker containers proves to be successful, the company expects to win on two fronts: a better software development process, and a return on its investment if Docker's fortunes rise.
While Goldman Sachs jumps headlong into containers, many other companies, including some very large enterprises like BNY Mellon, are testing the waters with projects of their own. They are taking a cautious approach because there are some inherent weaknesses in the security aspects of containers. Container companies like Docker and CoreOS are improving the security tools they include with their development kits, but there is still room for improvement as far as security is concerned.
There are several security challenges with containers, mostly unrelated, that can be more difficult to address than when you’re dealing with traditional software environments. One issue a container environment can have 20x to 30x the number of items to track compared to a virtual machine implementation. Moreover, containers are ephemeral in the sense that they may be short-lived. They could be run, do what they do, stop and then disappear. All of this creates an environment that requires tight supervision.
Another aspect is containers run on a shared kernel in Linux. It's ironic that the very thing that makes containers so useful is also the cause of many of the security issues. Because they run on a shared kernel, they actually rely on the host OS to provide some of the essential security services, and this creates two issues. One is that Linux wasn't created with this sort of multi-tenancy situation in mind; it has just been adapted for containers. The other is there are variations in the releases and distributions of Linux, resulting in different levels of security coming from the host OS.
A third security factor stems from one of the very things that makes containers so great: the very rapid pace of development. In a traditional application development environment, software updates might come out two or three times a year. With containers, updates are practically continuous. This necessitates having strict controls in place from the developer all the way through runtime.
One company out to address these issues is Aqua Security (formerly Scalock) launched in May by long-time security industry veterans. The company’s Aqua Container Security Platform manages the software development process in one continuum, from development through staging and into the runtime and production stages. The ultimate goal is to protect containers when they are running in production. Everything that Aqua does along the way is designed to serve that goal.
The Aqua platform, which can run completely on premises or in the cloud, has two main components.
The Aqua Console is the management piece that manages the system settings. It integrates with registries where images are pulled from; with Active Directory and LDAP for user authentication and identity management; and with continuous integration and continuous delivery (CI/CD) tools to manage things throughout the lifecycle. On the backend, the console integrates with SIEM solutions so event logs can be pulled into a central console. The Aqua Console also manages the Aqua Agents, which are the other major component of the platform.
The Aqua Agents are themselves privileged containers that get installed on the hosts that are to be protected. One agent gets installed for every container engine. The Aqua container forces policy onto other containers and reports back to the console on all the activity.
The Aqua Console and agents are complemented by Aqua's Container Cyber Intelligence service, which is basically research used to update and map the various vulnerabilities that pertain to the containers. Aqua implements that research into its automated policy for up to date protection.
These components are said to form a multi-layered security model. The first layers of protection include image assurance, and user authentication and authorization. Aqua gains visibility into every image in the public and private registries as well as the containers that run in production. They are scanned for known vulnerabilities and malware using static and dynamic scans, and then Aqua turns that into a policy that is enforced throughout the stages of continuous integration. Unapproved images are prevented from running.
The Aqua Agent enforces granular access controls at the container level and by user role. This determines which users can access which containers, and what those users can do. Aqua also enforces policies on containers to control what a container is and isn't permitted to do, and what kinds of things trigger alerts or preventive measures.
Another layer of security involves host hardening. Aqua adds value by restricting and enforcing namespaces, access to root, and access to system calls that aren't needed for the container environment.
Beyond that is container activity lockdown, in which Aqua applies the least privilege principle to container access to the OS and network resources. Since containers on the same host aren't aware of each other, Aqua enforces runtime parameters to ensure that containers remain isolated and cannot stop each other from running.
On top of that, Aqua provides intrusion prevention/detection capabilities. The system monitors for malicious behavior of the containers. There is a layer of automated learning and a layer of behavioral policy that looks at what a container is trying to do. If this activity is considered malicious or is doing something to abuse host resources – for example, taking more memory or CPU than it is supposed to – then Aqua can act on that. There are some behaviors that are considered malicious regardless of the policy set for the container. There are no normal circumstances under which a container would do these things, so the container can be stopped. Aqua also prevents privilege escalation attempts.
In building this security solution, Aqua focused on runtime protection, so everything this system does along the way enables and enforces that. There is also a high degree of automation, both in terms of policy creation and the ability to integrate with the DevOps process to trigger various events along the way in an automated fashion.
Containers are one of the hottest trends in data center technology right now, and security must be integrated into the entire process.