Securing Virtual Container-Based Applications

Virtual containers are among the hottest technologies in the software development world today.

Containerization is an approach to virtualization in which apps and all their components are packaged up and compartmentalized but share a common operating system environment.

Since containers share a single OS kernel, they are much more efficient than full hardware virtualization. Containers introduce a revolutionary way to make applications portable and at the same time decrease their virtualization costs by orders of magnitude.

This technology is on a trajectory to massively disrupt the server virtualization industry, aiming to do to VMs what VMs did to physical machines. A well-known illustration shows the main differences between containers and virtual machines (credits: Docker):

Containerapps

Although containers technology is not new, it has surged in the past two years due to Docker, a Silicon-Valley based company that raised $150 million in total since January 2014. Docker developed an open-source run-time environment for containers, which makes containers much easier to deploy than before.

The Docker project has gained enormous popularity and has become the de-facto containerization standard supported by all major operating system providers (e.g. Microsoft, Red Hat), virtual data center providers (e.g. VMware), and cloud service providers (e.g. Google, Amazon Web Services, Microsoft Azure, Rackspace) in a very short time span. The Docker Engine has been downloaded over 400 million times, and there are over 100K “Dockerized” applications in the Docker Hub Registry; these numbers are rising on a daily basis.

Enterprise adoption of containers is still in its initial stages. A recent survey indicated that 70 percent of enterprises are either evaluating or already using Docker, but still mostly in development and QA environments. The number of enterprises that are currently using containers in mission-critical applications within production environment is low.

The two main inhibitors of further adoption are lack of operational production tools and enterprise-grade security. While several start-ups in the growing Docker ecosystem aim to tackle the first issue, security concerns remain largely unserved.

A recent report by Gartner analyzed Docker’s security measurements, and concluded that while it’s a work in progress, they are far from being sufficient, especially when it comes to management and administration. Like with many other open-source projects, mass distribution, ease of use and developers’ adoption are the first steps. Then comes management, orchestration, large-scale operational support and security.

We believe that the main platforms, such as Docker and CoreOS, will continue to strengthen the core security capabilities of containers; however, an end-to-end enterprise security solution will emerge from a third-party vendor. Container security startups are forming, and will act as accelerators to broader adoption of container technologies among enterprise customers in the next 12-18 months.

In addition to the lack of dedicated security tools for managing containers and verifying that the development -> production workflow is safe, elementary security components such as host hardening, continuous risk monitoring, threat analysis, access control management, logging and auditing are largely missing. Linux-based open source applications such as SELinux and AppArmor enable some enhanced security features, but these are partial solutions, and quite complex to operate.

There are some initial attempts to define how containers should be secured, but for most part, security operations teams feel they are left in the dark regarding what they might be doing wrong, or are they indeed enforcing industry best practices in their containerized applications.

Container technology raises security challenges throughout the entire development lifecycle. In the era of continuous deployment, developers find themselves sharing the security responsibilities. This may imply that security teams might need to place controls over what developers are doing, which is not a simple exercise given that the whole point of containers is to enable developers to ship new software features and capabilities as fast as possible.

One of the leading startups in the container security market is Twistlock, which enables developers and security operations teams to secure their container-based applications. With Twistlock, security operations teams centrally define container security requirements in policies, such as host-hardening standards, versioning of apps within containers and app configuration settings.

These policies are then enforced throughout the development lifecycle, across all the locations where containers are deployed (e.g. dev workstations, test environment in AWS, production environment on VMware).

The recent OpenSSL vulnerability is a good example of the power of this approach. Within hours from the disclosure, Twistlock was able to detect containers with vulnerable libraries, prevent them from running, and make it simple for developers to ensure compliance of all deployments going forward.

This is a nascent market, and as such, it evolves at a rapid pace. Many changes are ahead of us, and the number of unknowns is big. There are various approaches regarding how to secure containers, and probably more than one approach will prevail.

The only certain thing is that currently enterprises are lacking the proper security capabilities in order to further adopt this disruptive technology. In the next 12-18 months, we will witness the rise of the security segment within the virtual container ecosystem. With all the hype around Docker and the hyper-growth this ecosystem generates, it is going to be very exciting.