Preeti Rathi - August 24, 2015 - 0 Comments
Container security is not a well-solved problem today. While containers can isolate several areas of the underlying host from the containerized application, it is well known that the isolation is not as robust as that offered by virtual machines. Today it is still quite unclear as to how secure containers really are. An example that underlines this is a cheatsheet from Container Solutions for “using Docker safely”.
The security documentation from Docker states, “Running containers (and applications) with Docker implies running the Docker daemon. This daemon currently requires root privileges.” As one can imagine, root privilege is all-powerful – and if used improperly, can cause a lot of havoc.
One of the highly touted benefits of running containers is that containers allow anywhere from two to six times more server instances on a given server than those possible on a virtual machine. This superior performance, however, is possible only when containers are run on bare metal (versus running containers on VMs). But if you check the container offerings from any of the public cloud providers today, you will find that no public cloud provider offers containers on bare metal. Even Google, which internally runs everything on containers and has been using the technology for a long time, does not offer containers on bare metal with GCE (Google Container Engine). This is because multi-tenant container security is still a problem waiting to be solved.
So far, a big part of the startup frenzy around containers has been around container management (StackEngine, Tutum, Nirmata, Panamax), orchestration (Mesos, Kubernetes, Docker Swarm), continuous integration & testing (CloudBees, Shippable, CircleCI) and related deployment areas. The majority of the exhibitors at the Docker Conference 2015 in San Francisco were focused on offering deployment related solutions – providing further confirmation of the same. Given that Containers gained their fame & momentum as a technology for developers – deployment as the first area of focus makes sense.
However, the next stage of big growth for containers will come from enterprise adoption of the technology. In order for containers to become an enterprise grade technology, evolution/innovation in some key areas is a necessity. The primary areas that are still in early stages of evolution include container networking, handling of storage and security. Of the three, container security lags behind the most.
Different aspects of container security are in various stages of evolution – with preliminary solutions announced for a few of them to no resolution in sight for others.
Lets take Image security of containers for example – which at a high level is about ensuring that the image hasn’t been tampered with and vulnerability assessment of images. Some initial solutions for the same have recently become available in the market. Docker recently announced Docker Content Trust (DCT) that makes it possible to verify the publisher of Docker images. Furthermore, IBM’s Vulnerability Advisor gives container developers a view into their image security properties and provides guidance on how can images be improved to meet common sense best practices and upgrade to known industry fixes.
Similarly, quite a few companies have already announced support for another well-known area of container security – Container monitoring, which is about providing visibility into containers. These include NewRelic (Servers for Docker), Datadog, SysDig, Groundwork’s BoxSpy, Google’s cAdvisor, etc.
However, other security areas like preventing unauthorized access to containers need a robust solution to accelerate container deployment and usage in Enterprise. Startups like Scalock and a few other startups still in stealth mode are focused on providing such a solution.
Another security area that is still in early stages of evolution is, running containerized apps with different security profiles on the same host – which is considered too risky today. Solutions are needed not only for setting security policies for containerized apps but also to close any loopholes in the container configuration profile. Twistlock, an Israel based startup, provides the ability to configure security profiles for containers and also offers container monitoring capability.
However, for some areas like multi-tenant security – there is no solution in sight.
It has been said often enough that containers do not contain. But this creates an opportunity for entrepreneurs to innovate and generate huge value in the process.