Will Security Concerns Break Open-Source Containers?
By Omar Rafik, SolarWinds Senior Manager, Federal Sales Engineering
Here’s an interesting article on some of the security concerns that come along with containers. I was surprised to hear that a third of our customers are planning to implement containers in the next 12 months. The rate of change in IT never seems to slow down.
Open-source containers, which isolate applications from the host system, appear to be gaining traction with IT professionals in the U.S. defense community. Security remains a notable concern for a couple of reasons.
First, containers are fairly new, and many administrators aren’t completely familiar with them. It’s difficult to secure something you don’t understand. Second, containers are designed in a way that hampers visibility. This lack of visibility can make securing containers taxing.
Layers Upon Layers
Containers are comprised of a number of technical abstraction layers necessary for auto-scaling and developing distributed applications. They allow developers to scale application development up or down as necessary. Visibility becomes particularly problematic when using an orchestration tool like Docker Swarm or Kubernetes to manage connections between different containers, because it can be difficult to tell what is happening.
Containers can also house different types of applications, from microservices to service-oriented applications. Some of these may contain vulnerabilities, but that can be impossible to know without proper insight into what is actually going on within the container.
Protecting From the Outside In
Network monitoring solutions are ideal for network security geared toward identifying software vulnerabilities and detecting and mitigating phishing attacks, but they are insufficient for container monitoring. Containers require a form of software development life-cycle monitoring on steroids, and we aren’t quite there yet.
Security needs to start outside the container to prevent bad stuff from getting inside. There are a few ways to do this.
Scan for Vulnerabilities
The most important thing administrators can do to secure their containers is scan for vulnerabilities in their applications. Fortunately, this can be done with network and application monitoring tools. For example, server and application monitoring solutions can be used as security blankets to ensure applications developed within containers are free of defects prior to deployment.
Properly Train Employees
Agencies can also ensure their employees are properly trained and that they have created and implemented appropriate security policies. Developers working with containers need to be acutely aware of their agencies’ security policies. They need to understand those policies and take necessary precautions to adhere to and enforce them.
Containers also require security and accreditation teams to examine security in new ways. Government IT security solutions are commonly viewed from a physical, network, or operating system level; the components of software applications are seldom considered, especially in government off-the-shelf products. Today, agencies should train these teams to be aware of approved or unapproved versions of components inside an application.
Get CIOs on Board
Education and enforcement must start at the top, and leadership must be involved to ensure their organizations’ policies and strategies are aligned. This will prove to be especially critical as containers become more mainstream and adoption continues to rise. It will be necessary to develop and implement new standards and policies for adoption.
Open-source containers come with just as many questions as they do benefits. Those benefits are real, but so are the security concerns. Agencies that can address those concerns today will be able to arm themselves with a development platform that will serve them well, now and in the future.
Find the full article on American Security Today.
The SolarWinds trademarks, service marks, and logos are the exclusive property of SolarWinds Worldwide, LLC or its affiliates. All other trademarks are the property of their respective owners.