SAN FRANCISCO – As enterprise companies take up the mantle of “digital transformation,” the modern-day tech marketing moniker for the process of buying the new stuff, security is always a primary concern. It was pretty clear from the first day of Dockercon that the container ecosystem is still focused on reassuring their fears, but it was also clear that progress is being made.
There was a security-related discussion during nearly every time slot allocated to the tech tracks at DockerCon in San Francisco Wednesday, but the nature of those conversations have changed, according to presenters and attendees. The pioneering container company has had to dispel a lot of myths about container security as it has pivoted from a developer tools company to an enterprise vendor, and it’s making progress by reminding companies of a long-held truism of computing security; it’s a process, not an add-on.
“It’s interesting and positive to see how people – and vendors – are thinking about security not just specifically for individual Docker instances, but the much broader and important topic of security for enterprise-scale deployments,” said Fernando Montenegro, a security analyst with 451 Research.
Containers are popular because they give users much more flexibility and control over how they deploy their applications, especially on public clouds. But they changed a lot of assumptions about how security worked across this new architecture, and that gave rise to the false notion that containers are inherently insecure.
Containerized applications are decoupled from hardware, which is often managed by a company like Amazon Web Services. That means security policies designed around self-managed servers no longer applied and poor security practices at the application level were exposed, said Bryan Webster, principal architect for hybrid cloud security at Trend Micro.
Containers can launch and shut themselves down much faster than virtual machines, so monitoring for malware or malicious attackers becomes more complex. Containers can “disappear before I even identify a problem and who has access to (a particular container),” said Hari Srinivasan, director of product management for cloud security company Qualys.
But these are security problems related to internal development policies and strategies, rather than security problems inherent to containers themselves.
“If I’m creating a containerized application, I’m making a series of design decisions,” said Tim Mackey, senior technical evangelist for Black Duck Software. “Overall security is a function of what I’ve put into my application.”
So the best way to secure containerized applications involves taking the advice of security professionals who want to prevent more people from learning the hard way that security needs to be baked into your development process throughout the entire cycle, from when you’re first building and testing your application inside your protected environment to when you’re patching and monitoring that application once is has been deployed to production.
And because companies transitioning to the the cloud and containerized applications no longer have to worry about physical server security, they have an opportunity to devote more of their security efforts to application-level security, Webster said. They can also patch those applications much more quickly when vulnerabilities are discovered, which is still the easiest way to stay safe, he said.
“When talking to customers and vendors alike, it’s clear that people are more comfortable with framing security in the context of container lifecycle: build, ship, run,” 451’s Montenegro said. “Different organizations will be at different stages of adoption, but everyone seems to understand that the need is there.”