Coming to Terms with Container Security

When it comes to emerging technologies of almost any kind, there’s a natural amount of fear and loathing involving IT security. In almost every case, security is cited as the No. 1 barrier to adoption. Regardless of those concerns, the productivity gains enabled by that technology always trump security concerns. Containers and container security are no exception.

A recent survey of 1,105 security professionals published by Thales in collaboration with 451 Research makes that point A full 87 percent of respondents have plans to use containers in 2017 with 40 percent already in production. Nevertheless, security is cited as the top barrier to container adoption by 47 percent of respondents. Other barriers to adoption included additional security related concerns such as ‘unauthorized container access’ (43 percent), ‘malware spread between containers’ (39 percent), and ‘privacy violations resulting from shared resources’ (36 percent).

Despite all those concerns, however, it’s full steam ahead with containers as far as developers are concerned. It’s not that developers have no regard for the opinions of IT security professionals. But from a developer perspective, every technology they might employ is equally security-challenged. Given the fact that all the options available are equally problematic, it should not come as a surprise when developers choose to go with the technology that makes their lives easier.

Most IT security professionals are just now becoming aware that containers are part of the IT environment. In the interest of expediency, most of those containers are deployed on top of virtual machines. IT security professionals who are aware of containers take comfort in that approach because virtual machines provide a layer of isolation that doesn’t allow a container that has been compromised to take over an entire machine.

But container security is improving. All processes built using LinuxKit from Docker now run in separate containers. Docker Inc. recently added support for secure node introduction, cryptographic node identity, cluster segmentation and secure distribution of credentials. Docker SwarmKit includes tools for automatically moving secure code into production and, in the event of a security issue, automatically rolling that code back.

Obviously, there’s no such thing as perfect security. But as confidence in container security continues to grow, there will be a lot more containers running on top of bare-metal servers than virtual machines. As much as there is a current isolation benefit provided by those virtual machines, it’s only a matter of time before the economic benefit of running containers on bare-metal servers trump a security concern that becomes less with each passing day.

None of this means application developers should dismiss container security concerns. But they also need to keep them in perspective. The truth is, there are lot of legacy applications running today that would be more secure if they were hosted inside a container. As for new applications, containers are at least as secure—if not more so—than every other platform. That may not inspire IT professionals to get excited about having to support yet another platform, but at the very least it does mean any debate about the security of containers versus other platforms borders on the specious.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1598 posts and counting. See all posts by Mike Vizard