When it comes to security, anything new is usually bad news. And for most organizations, containers are something new.
That's a concern, as containers will likely come to your organization in the near future -- if they are not in use already. That may be in the form of Docker containers, CoreOS's rkt-based containers, or some other type - probably more generic containers that conform to the emerging Open Container Initiative standard that's based in Docker technology.
Here's what you need to know about container security, and some initiatives that may help you improve your container security posture.
Are Containers Secure?
Although containers are seen as an alternative to virtual machines, they are likely less secure. That's because:
- Containers don't provide the same degree of isolation between applications running on the same host as virtual machines.
- Container systems don't provide the same level of isolation from the host as hypervisors do. For example, there is a risk that a process running with root privileges in a container will have root privileges on the host it is running in.
- Container management systems are much less mature that virtual machine management systems such as VMware's vSphere. That means there's an increased risk of outdated or insecure container images - or even ones that have been tampered with by a hacker - being deployed.
- IT professionals possess less experience and understanding of containers than they do of virtual machines or conventionally deployed applications. That means they are less familiar with processes for updating and patching applications and operating systems, and for deploying other security measures.
But it's not all bad security news for containers. That's because:
- Containers provide a greater degree of isolation between applications on the same host than conventionally deployed applications.
- Containers encourage the use of slimmed-down software stacks with minimized attack surfaces.
- Containers make it easy to deploy and redeploy applications, which may make it less likely that applications are just left running without security patches.
Container Security Initiatives
The container market is maturing fast, and this maturation is bringing several initiatives and innovations to make the underlying technology more secure. Here, we offer an overview of three of the key ones.
Running Containers in Virtual Machines
Virtualization giant VMware is a vocal advocate of the idea of running each containerized application in its own virtual machine to increase security. Perhaps that's not surprising given that container technology can be seen as a direct rival to its server virtualization technology, but VMware's approach is certainly worth a good look.
Putting each container in its own virtual machine offers superior isolation from the host machine and from other containers running on the same host. That much is clear.
But bringing virtual machines in to the mix would seem to negate many of the benefits of containers: for example that you can start them far faster than virtual machines, and that you can run far more containers than virtual machines on a single host.
VMware has attempted to overcome this objection by introducing Photon OS, a pared-down Linux distro specifically designed for running containers, and virtual machines that use a lightweight Photon Machine "microvisor" which is based on its ESXi hypervisor. You can then use Instant Cloning to bring a new virtual machine into existence in a half second or so to wrap each container as you launch it.
"When you are done running the container, the VM goes away - so you are using VMs in a different way to normal, " said Kit Colbert, VMware's VP and CTO, Cloud-Native Apps. "You are not creating a VM, installing an OS, patching it and keeping it. The virtual machines are transparent and created on the fly."
An added benefit of this approach is that you can manage each container that you launch - via the virtual machine that it is running in - through VMware's vCenter management software.
Specialist Container Security Software
When virtual machine technology emerged, many organizations' initial approach to security was to apply the same security measures to virtual machines as they did to physical machines. Only later did more specialized software emerge that was specifically designed to meet the security requirements of virtual machines.
That process is now beginning to repeat itself, with software specifically designed to meet the security requirements of containers now starting to emerge. Some examples of specialized container security software include Clair and Twistlock.
Clair is an open source API-driven analysis engine that inspects containers layer-by-layer for known security flaws. That's useful for identifying container images that may not have contained any known vulnerabilities when you made them, but which have subsequently become unsafe to use because of the discovery of new vulnerabilities.
Using Clair, you can also build services that provide continuous monitoring for vulnerabilities in existing containers.
Twistlock is a security suite for containers founded by Ben Bernstein and Dima Stopel, who both spent more than 10 years in the Microsoft R&D center in Israel and who also served in the Israel Defense Force's (IDF) formidable intelligence corps.
The software suite lets you:
- Monitor both static container images and runtime container applications to identify container security risks
- Specify security baselines to ensure your hosts have been hardened and your applications meet certain quality and security standards before they can be pushed into production
- Protect containers deployed both in the cloud and on-premises in a virtual data center
It's likely that more products offering similar functionality to Twistlock will emerge in the near future - either from security startups or as part of established security software vendors' product portfolios.
From an organizational point of view, the drawback to specialist container security software is that it adds an extra layer of complexity that IT staff must learn.
That's avoided by some products like open source software vulnerability checker Whitesource. In Whitesource's case, the product was not designed specifically for containers but has simply been made Docker aware. That enables it to look inside your containers as well as conventional software stacks to alert you to outdated or insecure open source software components.
A Secure Container Computing Environment
CoreOS has emerged as the major rival to Docker in the container space, and late last year it unveiled Distributed Trusted Computing. This is a system which allows you to cryptographically verify the integrity of your entire container environment - from the server hardware to the applications running in containers.
Using DTC servers in a container cluster start up using Secure Boot, which validates cryptographically that the operating systems have not been modified in any way. This continues to the container execution environment, and then the container images themselves are verified using keys stored in the servers' Trusted Platform Modules (TPMs).
The final step is cluster security, and only machines that have been Secure Booted are allowed in to a cluster. Systems that do not pass cryptographic integrity checks are prevented from joining clusters, are never able to request or obtain cluster data and never have containers scheduled on them.
The downside of DTC is that if you want to use it you need to buy in to CoreOS's entire container ecosystem (rather than, say, Docker's) - but that is not necessarily something enterprises would want to avoid.
What Is Docker Doing?
Docker Inc., the lead commercial sponsor behind the Docker open source container technology, is also involved in multiple initiatives to strengthen Docker container security. As Sean Michael Kerner reported, these include the open source Notary project and Docker Content Trust efforts, which bring signed application images and a mechanism to protect users from man-in-the-middle attacks against signed image updates.
The newest container security initiative, announced at the recent Dockercon EU conference, is a scanning project called Project Nautilus that involves examining and validating images on the Docker Hub repository, with the aim of identifying vulnerabilities that exist in Dockerized applications. Docker also announced support for a security capability known as user namespaces that will allow Docker users to enforce security controls on application processes running inside of a Docker engine, according to Kerner.
In addition, Docker plans to support Linux seccomp, a technology that Nathan McCauley, director of security at Docker, said will allow users to limit what runs inside Docker containers.
Yet another ongoing security initiative aims to improve authentication and authorization inside of Docker. The goal is to enable robust support for common authentication mechanisms, including Kerberos, LDAP and Microsoft Active Directory as well as SASL (simple authentication and security layer). Finally, Kerner reported, work is under way to develop an authorization plugin framework that intercepts requests and allows authorization plugins to decide what to allow, based on security policy.
There's still a long way to go for containers in terms of security tools, expertise and experience, and even security baked in to container systems such as Docker. But the container security technology is evolving rapidly, and as standards emerge security will inevitably be ratcheted upwards.
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.