Containers, the big step in virtualization after virtual machines, have become data center favorites. They have a smaller OS footprint than VMs, helping them load and run faster. Some security improvements come with this technology, but there are still concerns.
“Container security is a very different model than the hypervisor model,” says Ed Moyle, director of thought leadership and research for ISACA, a nonprofit association in Rolling Meadows, Ill., focused on trusted advice for information systems. “When you put regulated information like customer credit card info in a container in a multitenant cloud environment, you really have to pay more attention.”
For example, many containers demand root access. Moyle says, “It doesn’t have to be that way.” He considers container security in the early days, and over time companies will improve security like they did with VMs. Tools from container vendors are a good first step to increase security. “Docker [a software containerization platform] and others build security features and tools into their container engines. And tools like Snort [a network intrusion detection system] help in understanding container security.”
Jesse Hertz, senior security consultant for the NCC Group, an independent, global cybersecurity and risk mitigation consultancy, gives a warning about network access: “Too often, these deployments lack the network access controls that would previously have been in place with firewalls or other physical devices. Once an attacker is within a container [that attacker] can often connect to other containers, the container’s host, or other computers on the network.”
How to lock down the container? “Have an architecture diagram,” says Hertz. “Drop the capability for a container to use raw sockets, and add ebtables rules to prevent a container from sending malicious traffic. Audit code that interacts with the container, as well as custom code responsible for ‘spinning up’ the container.” Hertz also suggests performing a real penetration test of your platform before deploying a new environment, and looking carefully at privileges and access of the containers on the platform.
Moyle mentions two commercial tools for container security: the Aqua Container Security Platform from Aqua Security Software Inc., and Twistlock from the vendor of the same name. “These are only two examples, and there are new players developing security-specific tools for containers on an almost daily basis,” he adds.
So far, most of the container security risks are theoretical and have not been exploited, although Moyle adds that companies rarely publicize successful security attacks. Hertz sees critical flaws that attackers could use to bypass security controls on almost every engagement, but agrees there haven’t been many high-profile attacks where container security broke down.
Moyle believes container security is a hot market for VARs. “Security is a big differentiator, and there’s a huge business opportunity for security experts in the channel. Understand their regulatory environment and their business, talk with authority, and you may be able to charge a premium for container security expertise.”