Software containers are among the hottest aspects of enterprise technology right now. Sure, containers help enterprises save budget through, just like virtualization, the improvement of hardware density. But that’s not really why enterprises are turning to containerization. It’s how application containers bring to modern cloud environments improved manageability and the ability to deploy applications as discrete functions that can be used at will and reused elsewhere in the environment, wherever needed, as a service.
This is why containers play such a crucial role in the move to microservices – which is to build large applications as modular parts and not as monolithic blocks. When a microservice is built once, it can then be ran wherever and whenever one needs. Also, container applications aren’t dependent on the underlying operating system, so many aspects of running operations is simplified as a result.
While use is still nascent, overall, the SDXCentral’s 2017 Container and Cloud Orchestration Report found that container adoption is increasing. While last year only 8 percent of its survey respondents were using containers, that number swelled to 45 percent this year. The analyst firm 451 Research predicts that the application container market will reach $2.7 billion by 2020, up from $762 million in 2016.
Containerization can also help to improve security. One way is through the natural reduction in attack surface containers can facilitate. This is because only services required for the microservice in the container need to be available and can be shut off from other containers and systems. Container management is also incredibly scriptable and automated policy compliance enforcement is simplified.
However, because containers are so easy to deploy and use, the risk is that they sprawl all over unmanaged and with different settings and patch levels. Not good when it comes to security. This is why it’s important to keep in mind a number of recommended practices. Here are five I believe are worth considering:
Include container security management in your vulnerability management program. Consider storing and managing containers from known locations so that they may be assessed and patched properly for vulnerabilities. I’ve spoken with a number of organizations that have ran into challenges with their container initiatives simply because of the security issues that arose because their container vulnerabilities weren’t managed properly. Seek ways to verify the security posture of containers at runtime.
Harden the host. One crucial defensive layer is making sure the containers’ host is secure. Linux is the operating system of choice for container hosts, and of course more than one container can find a home within a host, so it’s important that the host itself is secured. The best way to achieve this is to follow the Linux operating system security best practices for the specific version being used, and make sure the hosts are monitored by the security team.
Shrink the container attack surface. Clearly, securing the host file is not enough. Containers have aspects that require their having standard profiles and configurations that align with the organization’s security and regulatory compliance demands. Turn off unnecessary services and system calls. Consider how to best reduce container communication and interactions internally and with container groups.
Secure container images and build files: This is another area that is essential to ensuring the container environment is secure. Best practices here include creating users without root access, and that administrative privileges are minimized to only those accounts that require it. Be sure to remove admins when they no longer need access to the file.
Automate security operations. Whenever you hear security professionals discuss security, they will no doubt discuss the importance of building security processes into the workflow of the organization. That broadly means to take security into consideration during the design, build, deploy and management phases of technology. When that comes to containers, it means the same thing: make sure security expertise is brought to bear during the design, build, and production phases. This is an area where continuous deployment can shine, because the security processes can be automated directly into the workflow.
While many enterprises remain cautious when it comes to software containerization, there’s really no need if the right practices are followed. At least not when it comes to good security.