Report

Point of View: Are Containers Secure?

Linux, and soon Windows containers, are rapidly adopted by organizations as developers seek ways to push innovation faster into production environments and in customers hands. Containers allow preserving the application environment all the way into production, maintaining consistency across the development and operations pipeline.

Containers are not inherently un-secure, but they are being deployed in an un-secure manner by developers, with little or no involvement from security teams and little guidance from security architects.

There are several security considerations when deploying containers that security architects must acknowledge and address:

  • Containers use a shared OS kernel. Thus, a compromise of the host OS kernel by a rogue container could lead to a loss of separation and the result is complete access to all running containers on the host as well as potentially other hosts on the network.
  • Containers are often not scanned for vulnerabilities before hitting production systems, so like any software, most successful attacks on containers will have a root cause that can be attributed to missing patches and misconfiguration. Unauthorized images are being deployed and executed in production environment.
  • Insecure configurations in testing and production environment increasing the attack surface size.
  • Containers are rarely built from scratch and are based on existing images and open-source software (OSS) and often includes known vulnerabilities that developers were unaware of, or ignored.
  • Because containers use a shared OS kernel, existing host-based security controls won't (without modification) understand the context of the containers running on top of the OS and won't be able to apply differential security policy.
  • Most enterprises will lose inter-container traffic visibility and existing external network security controls for fire-walling and intrusion prevention system won't work within the container environment, which can lead to network attacks via insecure containers having exposed and non hardened network.
  • Developers are the main driving force behind container creation, and with DevOps style workflows gain more responsibilities due to shift left momentum, this might increase the risk of loss of separation of duties between development, operations and security. Lack of accountability as containers pass several hands en route from development and into production.

The use of containers is commonly associated with rapid DevOps-style workflows as a way to streamline service delivery from development into production (and back again) with a high degree of consistency throughout the life cycle. The use of containers doesn't require DevOps, nor does the use of DevOps require containers, but the two approaches are highly complementary. In addition, container security best practices can be mapped into the DevOps workflow (CI/CD) to deliver DevSecOps.

Erez Yaary, HPE Software Chief Technologist, with security expert Elena Kravchenko, provides important thought leadership on container security. Download it today -->.

Get this report delivered to your inbox

Success

You have unlocked a free copy of Point of View: Are Containers Secure?

You may download the report from this page at any time.

GET IT NOW

Linux, and soon Windows containers, are rapidly adopted by organizations as developers seek ways to push innovation faster into production environments and in customers hands. Containers allow preserving the application environment all the way into production, maintaining consistency across the development and operations pipeline.

Containers are not inherently un-secure, but they are being deployed in an un-secure manner by developers, with little or no involvement from security teams and little guidance from security architects.

There are several security considerations when deploying containers that security architects must acknowledge and address:

  • Containers use a shared OS kernel. Thus, a compromise of the host OS kernel by a rogue container could lead to a loss of separation and the result is complete access to all running containers on the host as well as potentially other hosts on the network.
  • Containers are often not scanned for vulnerabilities before hitting production systems, so like any software, most successful attacks on containers will have a root cause that can be attributed to missing patches and misconfiguration. Unauthorized images are being deployed and executed in production environment.
  • Insecure configurations in testing and production environment increasing the attack surface size.
  • Containers are rarely built from scratch and are based on existing images and open-source software (OSS) and often includes known vulnerabilities that developers were unaware of, or ignored.
  • Because containers use a shared OS kernel, existing host-based security controls won't (without modification) understand the context of the containers running on top of the OS and won't be able to apply differential security policy.
  • Most enterprises will lose inter-container traffic visibility and existing external network security controls for fire-walling and intrusion prevention system won't work within the container environment, which can lead to network attacks via insecure containers having exposed and non hardened network.
  • Developers are the main driving force behind container creation, and with DevOps style workflows gain more responsibilities due to shift left momentum, this might increase the risk of loss of separation of duties between development, operations and security. Lack of accountability as containers pass several hands en route from development and into production.

The use of containers is commonly associated with rapid DevOps-style workflows as a way to streamline service delivery from development into production (and back again) with a high degree of consistency throughout the life cycle. The use of containers doesn't require DevOps, nor does the use of DevOps require containers, but the two approaches are highly complementary. In addition, container security best practices can be mapped into the DevOps workflow (CI/CD) to deliver DevSecOps.

Erez Yaary, HPE Software Chief Technologist, with security expert Elena Kravchenko, provides important thought leadership on container security. Download it today -->.