Container-based Security: A Move from Virtual Machines

By CIOReview | Monday, May 8, 2017

Present day IT enterprises are steadily moving ahead to transform software development approaches for quicker software delivery. As a consequence, container technology has emerged as a favored means of packaging and deploying software. The arrival of numerous container providers into the market like Docker, Linux LXC and others has given rise to a plausible question: Is container technology secure for enterprise use? If yes, how secure is it?

Before delving deep into the subject, it is crucial to understand that containers and virtual machines (VMs) are not alike though they serve a similar purpose, i.e. segregating an application and its dependencies into a self-contained unit that can function anywhere. The prime difference between VMs and containers lies in their structural approach. While VMs emulate physical hardware through the use of a hypervisor, containers share the kernel of the host operating system (OS) to access the hardware. Containerizing enables an application it to operate unfailingly in diverse ecosystems by dissociating the OS and the physical infrastructure. Each container derives its own isolated user space to let multiple containers operate on a single host machine. However, only the shared part of the OS is read-only which is what makes OS-level virtualization or containerization so lightweight.

Given the portability benefits that containers offer, facilitating the transfer of applications from one cloud to another, the use of container platforms has augmented over the past few years. Docker, for instance, is a leading open-source platform based on Linux containers. It leverages Linux kernel features to create containers on top of an OS.

Veering back to security concerns, with the running of multiple containers on a single OS, there is a high probability of ending up with a single point of failure. To this end, Docker gets into the scene with its robust defense tool—Docker Notary—that allows developers to digitally sign their containers so that any user of the Docker image can validate the source and authenticity of the content. Having said that, it is likely for containers to be risk-prone, should developers be indifferent towards container security or if they eschew mending security issues. One way to curb this risk from containers is to update the host OS with patches alongside managing container susceptibility. It can be noted here that traditional approaches to network security might not necessarily extend into a container environment. Multiple containers could potentially link up within a single host OS which calls for the need to find out ways of providing network control within a container host OS.

Containers harnessed in sensitive production applications need to be handled in the same manner as any other deployment when it comes to security. Each container works on software that might carry vulnerabilities; although it does not necessarily permit access into the underlying OS of the server, chances of glitches like service denial cannot be denied. This, in turn, could immobilize a MySQL container and ultimately disrupt an entire website. In the same line, one must bear in mind that the security of the server hosting the containers is equally important as that of the container itself.

If we traverse the current market scenario, it becomes clear that container-based virtualization is rapidly gaining momentum across large-scale enterprises as well as SMEs. Although many companies are readily embracing this disruptive technology, they seem to be quite skeptical regarding this adoption in the domain of production. Quite remarkably, VMs are still deemed to be a more full-fledged technology with a superior security level and hence several teams are more inclined to rely on them. To be precise, VMs are best suited for monolithic applications and for circumstances where security concerns exceed the needs for a lightweight solution. In contrast, containerization is a more appropriate solution for the micro-services architectural type where features of the application are categorized into small, precise, exclusive services. Nevertheless, VMs and containers can be viewed as interdependent solutions rather than disbarring one from the other.

Today, there is hardly any enterprise that is not open to introducing container-based virtualization to their infrastructure. Their potential of mobility, internally as well as in the cloud, accompanied by their low cost, designates them as a better alternative to full-blown virtual machines. Even so, companies have the liberty to opt for the solution that they believe optimally fits into their business structure while also rendering the desired services.