Most every business that is embracing DevOps methodologies is also deploying containers – or thinking about deploying containers. Currently, according to this story in Betanews, there are more than 100 products that currently use containers in agile development and they represent $1.7 billion in venture funding. “Eighty-eight percent of enterprises say they're shifting to a DevOps strategy, and containers are changing the nature of DevOps and transforming infrastructure,” Betanews reports.
When it comes to containers, which are essentially virtualizing applications within the operating system as a single unit, the question remains: what are their impact on security? In reality, containers can both be a help and a headwind to good security. One of the important aspects of containers is the metadata they hold. This container metadata informs teams what is in the container, so security professionals, admins, and developers can all see what is in the container and have a good understanding about how important, from a risk perspective, each container happens to be.
Container architecture, because everything is managed in a single unit, has a significant impact on security. Through containerization, rather than dependencies being spread throughout the environment, containers make it possible to fully separate applications that would have run concurrently on a server. This means dependencies, such as services required to support an application, can be bundled within that container – but shut off from other containers and systems. This can, when managed properly, reduce an enterprise’s attack surface.
Another potential benefit is that containers, because they each can be managed as discrete entities that perform a specific task, make automation – and security automation – much more straightforward.
Additionally, each container can be tested by QA teams and securely managed on its own. This makes it easier for DevOps teams to lower the amount of trouble single points of failure can cause in an environment. Operationally this can accelerate both the speed of development and deployment as well as increase the overall quality of an environment.
Of course, like everything else, nothing is ever one sided and containers certainly have their potential drawback. Just as with virtualized workloads, containers make it easy for software assets to sprawl across the environment. This means they won’t be managed properly, and soon the environment will end up with too many unnecessary services running, a bloated attack surface, and varying patch levels and inconsistent application and system settings and configurations.
Interestingly, the majority of security challenges enterprises encounter with containers are exactly the same challenges they encountered with traditional and virtualized environments –configuration, operating system, and application vulnerabilities.
What can enterprises do to ensure their container environments remain secured? Earlier this year, the Center for Internet Security (CIS) and Docker published the CIS Docker 1.11.0 Benchmark [.pdf]. The Benchmark, CIS and Docker say, was created using a consensus of security experts, including from consulting, software development, audit and compliance, security research, operations, government, and legal.
The six categories covered by the benchmark are below:
Host configuration security
Security recommendations that prep a host machine that will run containerized workloads. By securing the Docker host and implementing infrastructure security best practices, a foundation for securely executing containerized workloads.
Docker daemon configuration
Security recommendations to security the Docker server (daemon). This will help secure all instances running from the server by reviewing Docker related files and directory permissions.
Container Images and Build File
Base images and their build files are what guide how the container behaves, which is vital to a healthy container infrastructure.
By securing the launch, risks of the container being infected are greatly mitigated. The guidance in this section of the document for verifying the veracity of the runtime environment.
Docker Security Operations
This section is a solid overview of current security best practices that should be extended to the container environment.
As you can see from Center for Internet Security and Docker guidance above and what we reviewed in this post, there are some differences in container security to app and server security: but there is a lot of similarity to virtualization security. By following the guidance in the CIS Docker 1.11.0 Benchmark, enterprises can go a long way to locking down their containers and improving security.