Story image

The age of containerisation and its impact on security

30 Jun 17

A defining characteristic of software development and deployment is its constant evolution. Virtual machines (VMs) first appeared in the 1960s, and developers soon scaled it to commercial levels. Customers saw VMs as an ideal solution to enable easier server consolidation and drive disaster recovery and IT optimization. Since 2010, server virtualisation has become the norm rather than the exception. This model was supported by traditional “waterfall” software release methodologies, along with operations and software development working in different silos.

But these traditional models are changing, fueled by demand for increased productivity, accelerated innovation and faster go-to-market release of digital products and services. This has forced a rethink of how application development and deployment takes place. Rather than having software development and operations separated, the two are now being integrated into a single unified function - DevOps.

DevOps brings with it the concepts of continuous integration (CI) and continuous development (CD), which means that small incremental changes to applications are being made all the time. This is a stark contrast to the traditional waterfall development methodology.

The trend towards DevOps is also forcing a rethink of how software is deployed. Rather than the legacy virtualisation model used for years, a more efficient model has emerged. This technology, called containerisation, allows for more efficient use of hardware resources by facilitating the sharing of a single operating system instance with multiple segregated applications.

Benefits of container technologies

Container technologies have been revolutionary in their ability to enable fast application deployment and migration to the cloud. They not only reduce the required resources for deployment, but they can be brought online or quickly deleted in a matter of seconds. Containers also allow applications and processes to be consistently deployed across multiple clouds, which facilitates faster, more confident enterprise adoption of cloud services.

Containers are lightweight and portable, with everything needed at runtime, including all code and supporting libraries. In fact, containerisation takes IT automation to a whole new level when combined with orchestration technologies, such as Kubernetes, which facilitates totally elastic computing models.

We are now seeing the evolution of software defined infrastructures (SDI) where services can be provisioned and automatically deployed across large compute infrastructures. Applications developed using containerisation is an important part of this technology.

Unlike VMs, containers share operating systems and use only the resources they need to run the application they’re hosting, resulting in greater efficiency. Hundreds of containers can run on just one server, saving valuable data centre budget.

Not surprisingly, the remarkable benefits of DevOps deployment methods, a technology that is still in its infancy, have led to an incredible rate of adoption.

In a 2016 global survey, 53 percent of companies with at least 100 employees had either deployed or were in the process of evaluating containers. And once an organisation invests in containers, their use expands rapidly. In its report, Docker Containers Will Impact Enterprise Storage Infrastructure, Gartner predicts that by 2022, more than 20 percent of enterprise primary storage capacity will be deployed to support container workloads, up from less than one percent today.

But containerisation comes with growing pains. As with any new technology development, industry excitement often overshadows security until organisations recognise the need to address the new set of risks.

Security implications of containers

As traditional VMs typically exist for weeks, security issues are more likely to be caught during a weekly or monthly scan and patch cycle. But containers can exist for just minutes, and the periodic scanning approach simply doesn’t work. Beyond this, containers cannot be scanned using traditional vulnerability assessment tools, since the services that these tools require are not present in container images. This means, new methods of vulnerability assessment must be embraced.

DevOps teams are often focused on speed rather than security. Some platforms, such as Docker, allow users to pull pre-built images from public repositories. While efficient, this can expose networks to unknown threats and vulnerabilities.

It is the very advantages of containers that make them such a security risk.

  • Containerisation allows the dynamic and elastic deployment of software, but this means the attack surface is constantly evolving.
  • A key strength of containers is their ability to be spun up or down almost instantly. But with an average lifespan of just a few hours or days, how can security teams effectively assess risk?
  • Their short lifespan and ability to be instantly deleted or replaced, key benefits when only concerned with speed of deployment, can cause a lack of visibility.

A major concern is that enterprise adoption and deployment of DevOps and containers is outpacing the approach used to secure them.

Tenable’s 2017 Global Cybersecurity Assurance Report Card, found that security teams’ confidence in their organisations’ ability to mitigate risk in these categories is worryingly low, with containerisation platforms (52 percent) and DevOps environments (57 percent) each receiving a failing grade.

Integrating security into the DevOps innovation cycle

Organisations continue to struggle with container security because traditional security approaches, first designed for physical servers and then for VMs, cannot cope with today's dynamic IT environment.

Server or device-centric-security simply doesn’t work in the new app-centric enterprise, which means organisations must rethink their approach to cybersecurity. Vulnerability scanning needs to be integrated into the DevOps innovation cycle. Each container must be scanned as it’s built, before it’s put into production and while it’s in production. Doing so will ensure that vulnerability and malware detection occurs throughout the lifecycle of every container.

Recognising the critical importance of vulnerability scanning, Gartner expects that “by 2018, 60 percent of enterprises will mandate container vulnerability scanning, up from less than 30 percent in 2016.” [Gartner source: “Security Considerations and Best Practices for Securing Containers” by Neil MacDonald published Nov. 10, 2016].

Introducing security into the DevOps process at the same speed as DevOps itself is starting to gain momentum as organisations transition into DevSecOps. DevOps teams are having a larger say in networking and infrastructure security tools, and as containers have grown in popularity, so too have the tools available to help secure them.

As more enterprises migrate their existing and customer-facing apps into container environments, it will become critical that organisations recognise and address the need for a new security approach, ensuring that security is integrated into the DevOps process from the very beginning. This is the only way for organisations to get the operational benefits of containers, while also reducing their level of exposure and risk. 

Article by Dick Bussiere, APAC technical director, Tenable Network Security.

DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
One Identity a Visionary in Magic Quad for PAM
One Identity was recognised in the Gartner Magic Quadrant for Privileged Access Management for completeness of vision and ability to execute.
Gartner names newcomer Exabeam a leader in SIEM
The vendor landscape for SIEM is evolving, with recent entrants bringing technologies optimised for analytics use cases.
52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.
Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.