Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Virtualization

    How to Secure Containers Is Still Subject to Debate

    By
    Sean Michael Kerner
    -
    December 8, 2015
    Share
    Facebook
    Twitter
    Linkedin
      container security

      In the world of virtualized application containers, security is top-of-mind. At both the DockerCon EU event last month in Barcelona, Spain, as well as the Tectonic Summit last week in New York City, the big news was all security-related. While there is no shortage of container security news, there is still some debate about how to properly secure containers.

      Docker Inc., the lead commercial sponsor behind the open-source Docker project, announced multiple security efforts at DockerCon EU, including project Nautilus for Docker application image scanning. Not be outdone, CoreOS, one of Docker Inc.’s primary rivals in the container market, announced Distributed Trusted Computing at its Tectonic Summit event.

      In some respects, the technologies announced by CoreOS and Docker Inc. for container security are similar, though they take different approaches. While Docker Inc. announced project Nautilus for scanning application images, CoreOS has its Clair project that scans container images for known vulnerabilities.

      When it comes to hardware encryption, CoreOS is using Trusted Computing concepts, including the use of Trusted Platform Module (TPM) hardware, in order to create and enable a chain of trust for container applications running on hardware that can be audited and verified. Docker is also using hardware for security but in a different way. At DockerCon EU, the company gave away Yubico USB keys that can be used to sign private encryption keys for application images.
      There is also some debate about how containers should be run on a system. I moderated a panel at the Tectonic Summit that included Matthew Garrett, principal security software engineer at CoreOS; Tim Hobbs, advisor, product management at CA Technologies; and Frank Macreery co-founder and CTO, Aptible.

      One of the key questions I asked the panel was whether it was a best practice to run a container inside a hypervisor. The consensus from the panel was that, today, in order to get the best isolation and security control, the use of a hypervisor is a good best practice. It’s a model that CoreOS embraces as well with its rocket (rkt) container engine that integrates with Intel’s Clear Containers technology. Clear Containers is a virtualization hypervisor that has been purpose-built for running containers.

      Identity is also a hot topic in IT security. CoreOS has an open-source identity technology called Dex that can help organizations with user access control for container applications.

      Meanwhile, CA has a long history of user identity technologies. On my panel, CA’s Hobbs emphasized that integrating with existing forms of user authentication and policy control is important for containers, as with all other forms of application deployment.

      A key driver for a lot of security expenditures is regulatory compliance-related efforts. At DockerCon EU, Udo Seidel, chief architect and digital evangelist at Amadeus, detailed how his organization has managed to use Docker containers to achieve Payment Card Industry Data Security Standard (PCI DSS) compliance.

      On my own panel at the Tectonic Summit, Macreery explained how Aptible is able to use containers for its U.S. Health Insurance Portability and Accountability Act (HIPPA) requirements. For both PCI DSS and HIPPAA, data privacy is paramount, which is something that the isolation properties of containers can help enable.

      How to Secure Containers Is Still Subject to Debate

      While interest in containers has grown significantly in the last two years, it’s important to remember that containers as a technology concept have been around for many years. In Linux, there are LXC (Linux Containers); in Solaris Unix, there are Zones; and in FreeBSD, there is the concept of Jails. During my panel, a member of the audience wanted to know what’s new with container security, given that containers as a technology construct are not new.

      The answer I gave is the same that I gave a decade ago, when VMware’s momentum was growing and people reminded me that IBM had been doing virtualization for 50 years. The answer was that applications are the difference, as is increased production deployment at scale in distributed systems. Additionally, though the attack surface of containers and the applications that run in them are not new, those that are deploying containers might be new to security best practices that have already been learned in the industry.

      While the basic ideas behind securing containers are now in place, it’s likely that there are some ideas and concepts that have yet to emerge. What never ceases to amaze me is how emphasis and effort from the security research community exposes vulnerabilities in nearly all classes of software and infrastructure. No doubt, as container deployments grow, security researchers will turn their attention to the technology and new vulnerabilities will be discovered.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×