Containers Are Inherently Secure: Reality or Myth?

May 15, 2020
4 minutes
... views
Adoption status for containers and Kubernetes.
Adoption status for containers and Kubernetes (Source: 451 Research’s Voice of the Enterprise: DevOps, Q4 2019)

There has been a lot of enthusiasm in the developer community about container adoption because containers help make building and deploying cloud-native applications faster and simpler. Containers are self-contained apps and services that you can easily deploy and update (think lightweight virtual machines). Application codes developed as containers are highly portable and can run anywhere across virtual machines, hard servers in data centers and across private or public clouds. Just as importantly, containers greatly simplify the process of getting application code from testing to production by reducing a lot of the friction.

In a recent 451 Research Voice of the Enterprise (VotE) study of DevOps practices, more than half of the respondents had containers deployed at some level in their organizations. More than a third were using the Kubernetes orchestration framework as part of their management toolkit. (You can view the full infographic on data center transformation.)

 

How Secure Is Secure?

Containers are also often viewed as secure, but in reality they’re far from being impenetrable. Don’t get me wrong - to say that containers don’t offer any security is far from the truth. Containers actually have unique properties that provide invaluable cybersecurity benefits. They isolate applications, have integrated security capabilities, and because they’re frequently ripped and replaced, they provide a fast mechanism to overcome software vulnerabilities. Enabled by the use of continuous integration/continuous deployment (CI/CD) platforms such as Jenkins, the rip and replace process referred to as microservices can take minutes as opposed to traditional methods of waiting weeks or months for software patches and updates to be applied.

In spite of these security advantages, containers are a primary target for cybersecurity attacks and identified among the top ten enterprise attack vectors in 2019. They have unique properties that make them vulnerable to threats, one of which is container images. An image is the building block for containers. It is a standalone static file that includes executable code that can run as an isolated process. Images must originate from a trusted registry and must get vetted and code validated to ensure they’re secure. Otherwise, they tend to be highly vulnerable to cyberattacks.

Another potential source of vulnerabilities for containers, as an example, is user access control. Developers need to have access to what they need to get their job done, but having root access without centrally managed constraints can have adverse security effects.

Case in point, to test the security of cloud-native tools, researchers from Palo Alto Networks created an app based on a published and ready-to-run Drupal 8. They used a full cloud-native security buildout. The CI/CD pipeline used Git for source control management; Docker for container deployment; and Jenkins for building, testing and deploying to AWS. The container was compromised in 45 minutes. You can read more about this particular attack in our recent whitepaper: "Five Major Security Threats and How to Stop Them."

 

The Bigger Picture

Most importantly, once a containerized application is built, you can be sure that it will manifest itself on every platform and infrastructure your developers have access to. That means you need to secure applications running on-prem whether on hard servers or in a virtualized environment in addition to multiple public clouds by both enforcing security policies and remediating any issues that might arise across these platforms. This is a tall order, especially considering the chronic shortage of information security professionals with expertise in these new environments, such as containers and cloud.

Survey respondents identify their top information security skill set gap as cloud platform expertise.
Information security personnel staffing level ( Source: 451 Research’s Voice of the Enterprise: Information Security, Organizational Dynamics 2019)

Organizations of all sizes will be running a mix of legacy and emerging cloud-native applications well into the end of the next decade. To minimize the impact of securing these environments, organizations need to use an approach that simplifies the creation and maintenance of security policies at scale and offers a unified management framework for managing policies across multiple environments.

Read more: Five Major Security Threats and How to Stop Them.

Join our virtual event and learn more how container security can be a part of securing your enterprise transformation.

This blog is part of a series, “Reality or Myth,” that covers common security threats and suggests best practices for mitigating them.


Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.