Containers are among the hottest areas of application development, with multiple vendors supporting the technology approach that enables a more agile deployment model. But with that agility comes some security concerns. Container platform technologies include some native security controls, but there is also a need for additional technologies. That's where container security vendors come in.
In this eSecurity Planet guide, we outline what enterprises need to know about container security and the vendor solutions that are available.
- What are containers?
- Docker, Kubernetes and microservices
- Native container platform security
- Container security challenges
At the most basic level, containers are isolated application components that can run on top of an operating system. Containers typically are composed of multiple elements with a container runtime, or a container engine, at the core. The most popular container engine today is the Docker Engine, which is an open-source effort led by Docker Inc. There is a multi-stakeholder standards efforts called the Open Container Initiative (OCI) that has defined a a common specification for interoperable container runtimes.
Sitting on top of the container runtime are container applications. Unlike a traditional virtualization hypervisor (like VMware, KVM or Hyper-V), application containers rely on the underlying operating system on which the container engine is hosted. With a traditional hypervisor, each virtual machine (VM) image requires its own operating system. The promise of containers, then, is that they are highly portable, require less resources than a VM, and can be developed rapidly.
Docker is one of the leading vendors in the container space and also the name of its eponymous container engine. When running more than one container, there is a need to coordinate and manage the deployment, which is a concept that is commonly referred to as "orchestration."https://o1.qnsr.com/log/p.gif?;n=203;c=204650399;s=9477;x=7936;f=201801171510120;u=j;z=TIMESTAMP;a=20392941;e=i
The most commonly used container orchestration system today is Kubernetes, which is an open source effort begun by Google and now managed as a multi-stakeholder effort under the auspices of the Cloud Native Computing Foundation (CNCF). Docker is among those that support Kubernetes, alongside other vendors such as Red Hat, VMware, IBM, Cisco, IBM and others.
Microsevices is another term that is often used in conjunction with containers. A microservice is typically just a collection of container applications that together enable a service, which is typically in turn managed by Kubernetes.
Containers benefit from multiple isolation benefits by default. On Linux operating systems, containers are isolated by Linux namespaces as well as Cgroups, which partition and limit access to different processes. Additional Linux security isolation and control is provided by seccomp, which provides limits on what processes can do.
Different Linux platforms also provide varying degrees of mandatory access control that further limit and isolate containers. Red Hat-based Linux platforms use a technology approach called SELinux (Security Enhanced Linux), while Ubuntu-based Linux platforms tend to use AppArmor for mandatory access control.
Some deployments of containers will further isolate the container runtime inside a hypervisor, providing yet another layer of isolation between containers and host operating systems components.
Container vendor platform providers, such as Docker Inc. and Red Hat, as well as the major cloud services -- Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform -- all provide a degree of native isolation and security capabilities.
While container platforms benefit from native built-in security and isolation for the container runtime, there are still other security concerns that organizations need to be aware off.
There is a limited risk that a rogue process on a host system, or inside a container, could potentially bypass the isolation that containers are intended to provide and gain unauthorized access to other container images.
Another risk is organizations deploying container application images that include known vulnerabilities. Conversely, there is a also a potential risk of a container that is not initially identified as being vulnerable but is somehow malicious or even just misconfigured so an attacker can execute unauthorized actions. There is also a risk of misconfigured permissions in a container deployment that could potentially be misused or abused by an attacker.
There are multiple classes of functions that container security platforms provide. At the most basic level is container image scanning, which is a capability that validates that images don't have known vulnerabilities.
Runtime security capabilities look at what a container application is doing when running a given application. Network perimeter capabilities include common features such as firewalls. Intrusion prevention and detection (IPS/IDS) is another class of capability that is offered by container security vendors.
Here, then, are 10 top container security vendors you need to know about.
Alert Logic is one of the newest entrants in the container space, announcing its Intrusion Detection System (IDS) for containers in July. The Alert Logic solution is part of the company's Cloud Defender and Threat Manager platforms.
Anchore provides products that enable organizations to scan and inspect both public and private container images. At the core of Anchore's services is the company's open source engine, which helps organizations to scan images to achieve security compliance.
Aporeto has positioned its container security platform as being about application identity. The Aporeto technology provides multiple elements that can help organization enforce application identity, including access control, runtime protection and network security functions.
Aqua Security was among the first entrants in the container security space, launching its 1.0 product back in May 2016. Now at version 3.2, the Aqua Security platform provides runtime protection capabilities for containers. The Aqua platform also includes network segmentation capabilities as well as auditing and compliance features.
Capsule8 officially launched its 1.0 release in April 2018, providing organizations with a zero-day threat detection platform that can help identify and block container as well Linux host-level threats. Among the risks that Capsule8 aims to help mitigate are side-channel memory attacks, like the recently disclosed Meltdown and Spectre vulnerabilities.
NeuVector takes a networking-focused approach to container security, providing automated segmentation capabilities and attack detection. NeuVector's platform includes a container firewall that can filter application layer traffic to help identify anomalous behavior.
Qualys expanded its container security platform with the acquisition of Layered Insight in 2018. Qualys Container Security offers deep visibility as well as the ability to detect and prevent security breaches during runtime. Users can set alerts for detected anomalies or enact auto-generated behavior policies to enforce control on the containers.
StackRox emerged from stealth mode in July 2017 with an adaptive threat protection platform for containers. The StackRox platform provides security capabilities for the build and deployment phase of container usage as well as runtime threat detection features.
Sysdig is a vendor that is known primarily for its application monitoring capabilities for containers. Sydig also has a product called Sysdig Secure, which combines visibility along with runtime security to help protect container environments. The Sysdig Secure 2.0 release was announced in June 2018, adding vulnerability management, compliance and security analytics on top of the platform's existing container runtime security features.
Twistlock was also an early entrant in the container security space, announcing the general availability of its first Container Security Suite in November 2015. Twistlock's platform has expanded since that first release, adding forensic capabilities such as an incident explorer and runtime radar features that help organizations better understand and control container deployments.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.