Tag Archives: containers

As containers take off, so do security concerns

Containers offer a quick and easy way to package up applications but security is becoming a real concern

Containers offer a quick and easy way to package up applications and all their dependencies, and are popular with testing and development.

According to a recent survey sponsored by container data management company Cluster HQ, 73 percent of enterprises are currently using containers for development and testing, but only 39 percent are using them in a production environment.

But this is changing, with 65 percent saying that they plan to use containers in production in the next 12 months, and cited security as their biggest worry. According to the survey, just over 60 percent said that security was either a major or a moderate barrier to adoption.
MORE ON CSO: The things end users do that drive security teams crazy

Containers can be run within virtual machines or on traditional servers. The idea is somewhat similar to that of a virtual machine itself, except that while a virtual machine includes a full copy of the operating system, a container does not, making them faster and easier to load up.

The downside is that containers are less isolated from one another than virtual machines are. In addition, because containers are an easy way to package and distribute applications, many are doing just that — but not all the containers available on the web can be trusted, and not all libraries and components included in those containers are patched and up-to-date.

According to a recent Red Hat survey, 67 percent of organizations plan to begin using containers in production environments over the next two years, but 60 percent said that they were concerned about security issues.
Isolated, but not isolated enough

Although containers are not as completely isolated from one another as virtual machines, they are more secure than just running applications by themselves.

“Your application is really more secure when it’s running inside a Docker container,” said Nathan McCauley, director of security at Docker, which currently dominates the container market.
MORE ON NETWORK WORLD: 12 Free Cloud Storage options

According to the Cluster HQ survey, 92 percent of organizations are using or considering Docker containers, followed by LXC at 32 percent and Rocket at 21 percent.

Since the technology was first launched, McCauley said, Docker containers have had built-in security features such as the ability to limit what an application can do inside a container. For example, companies can set up read-only containers.

Containers also use name spaces by default, he said, which prevent applications from being able to see other containers on the same machine.

“You can’t attack something else because you don’t even know it exists,” he said. “You can even get a handle on another process on the machine, because you don’t even know it’s there.”
Resources

White Paper
Buying into Mobile Security
White Paper
How secure is your email? Prevent Phishing & Protect Your Customers Post Data Breach

See All

However, container isolation doesn’t go far enough, said Simon Crosby, co-founder and CTO at security vendor Bromium.

“Containers do not make a promise of providing resilient, multi-tenant isolation,” he said. “It is possible for malicious code to escape from a container to attack the operation system or the other containers on the machine.”

If a company isn’t looking to get maximum efficiency out of its containers, however, it can run just one container per virtual machine.

This is the case with Nashua, NH-based Pneuron, which uses containers to distribute its business application building blocks to customers.

“We wanted to have assigned resourcing in a virtual machine to be usable by a specific container, rather than having two containers fight for a shared set of resources,” said Tom Fountain, the company’s CTO. “We think it’s simpler at the administrative level.”

Plus, this gives the application a second layer of security, he said.

“The ability to configure a particular virtual machine will provide a layer of insulation and security,” he said. “Then when we’re deployed inside that virtual machine then there’s one layer of security that’s put around the container, and then within our own container we have additional layers of security as well.”

But the typical use case is multiple containers inside a single machine, according to a survey of IT professionals released Wednesday by container security vendor Twistlock.

Only 15 percent of organizations run one container per virtual machine. The majority of the respondents, 62 percent, said that their companies run multiple containers on a single virtual machine, and 28 percent run containers on bare metal.

And the isolation issue is still not figured out, said Josh Bressers, security product manager at Red Hat.

“Every container is sharing the same kernel,” he said. “So if someone can leverage a security flaw to get inside the kernel, they can get into all the other containers running that kernel. But I’m confident we will solve it at some point.”

Bressers recommended that when companies think about container security, they apply the same principles as they would apply to a naked, non-containerized application — not the principles they would apply to a virtual machine.

“Some people think that containers are more secure than they are,” he said.
Vulnerable images

McCauley said that Docker is also working to address another security issue related to containers — that of untrusted content.

According to BanyanOps, a container technology company currently in private beta, more than 30 percent of containers distributed in the official repositories have high priority security vulnerabilities such as Shellshock and Heartbleed.

Outside the official repositories, that number jumps to about 40 percent.

Of the images created this year and distributed in the official repositories, 74 percent had high or medium priority vulnerabilities.

“In other words, three out of every four images created this year have vulnerabilities that are relatively easy to exploit with a potentially high impact,” wrote founder Yoshio Turner in the report.

In August, Docker announced the release of the Docker Content Trust, a new feature in the container engine that makes it possible to verify the publisher of

“It provides cryptographic guarantees and really leapfrogs all other secure software distribution mechanisms,” Docker’s McCauley said. “It provides a solid basis for the content you pull down, so that you know that it came from the folks you expect it to come from.”

Red Hat, for example, which has its own container repository, signs its containers, said Red Hat’s Bressers.

“We say, this container came from Red Hat, we know what’s in it, and it’s been updated appropriately,” he said. “People think they can just download random containers off the Internet and run them. That’s not smart. If you’re running untrusted containers, you can get yourself in trouble. And even if it’s a trusted container, make sure you have security updates installed.”

According to Docker’s McCauley, existing security tools should be able to work on containers the same way as they do on regular applications, and also recommended that companies deploy Linux security best practices.

Earlier this year Docker, in partnership with the Center for Information Security, published a detailed security benchmark best practices document, and a tool called Docker Bench that checks host machines against these recommendations and generates a status report.

However, for production deployment, organizations need tools that they can use that are similar to the management and security tools that already exist for virtualization, said Eric Chiu, president and co-founder at virtualization security vendor HyTrust.

“Role-based access controls, audit-quality logging and monitoring, encryption of data, hardening of the containers — all these are going to be required,” he said.

In addition, container technology makes it difficult to see what’s going on, experts say, and legacy systems can’t cut it.

“Lack of visibility into containers can mean that it is harder to observe and manage what is happening inside of them,” said Loris Degioanni, CEO at Sysdig, one of the new vendors offering container management tools.

Another new vendor in this space is Twistlock, which came out of stealth mode in May.

“Once your developers start to run containers, IT and IT security suddenly becomes blind to a lot of things that happen,” said Chenxi Wang, the company’s chief strategy officer.

Say, for example, you want to run anti-virus software. According to Wang, it won’t run inside the container itself, and if it’s running outside the container, on the virtual machine, it can’t see into the container.

Twistlock provides tools that can add security at multiple points. It can scan a company’s repository of containers, it can scan containers just as they are loaded and prevent vulnerable containers from launching.

“For example, if the application inside the container is allowed to run as root, we can say that it’s a violation of policy and stop it from running,” she said.

Twistlock can monitor whether a container is communicating with known command-and-control hosts and either report it, cut off the communication channel, or shut down the container altogether.

And the company also monitors communications between the container and the underlying Docker infrastructure, to detect applications that are trying to issue privileged commands or otherwise tunnel out of the container.

Market outlook

According to IDC analyst Gary Chen, container technology is still new that most companies are still figuring out what value they offer and how they’re going to use them.

“Today, it’s not really a big market,” he said. “It’s still really early in the game. Security is something you need once you start to put containers into operations.”

That will change once containers get more widely deployed.

“I wouldn’t be surprised if the big guys eventually got into this marketplace,” he said.

More than 800 million containers have been downloaded so far by tens of thousands of enterprises, according to Docker.

But it’s hard to calculate the dollar value of this market, said Joerg Fritsch, research director for security and risk management at research firm Gartner.

“Docker has not yet found a way to monetize their software,” he said, and there are very few other vendors offering services in this space. He estimates the market size to be around $200 million or $300 million, much of it from just a single services vendor, Odin, formerly the service provider part of virtualization company Parallels.

With the exception of Odin, most of the vendors in this space, including Docker itself, are relatively new startups, he said, and there are few commercial management and security tools available for enterprise customers.

“When you buy from startups you always have this business risk, that a startup will change its identity on the way,” Firtsch said.

 

MCTS Training, MCITP Trainnig

Best Microsoft MCP Certification, Microsoft MCSE Training at certkingdom.com

Why (and how) VMware created a new type of virtualization just for containers

VMware says containers and virtual machines are better together

As the hype about containers has mounted over the past year, it has raised questions about what this technology – which is for packaging applications – means for traditional management and virtualization vendors. Some have wondered: Will containers kill the virtual machine?

VMware answered that question with a resounding no at its annual conference in San Francisco last week. But, company officials say containers can benefit from having a new type of management platform. And it’s built a whole new type of virtualization just for containers.
Virtualization for containers

A decade and a half ago, VMware helped revolutionized the technology industry with the introduction of enterprise-grade hypervisors that ushered in an era of server virtualization.

Last week the company revealed a redesigned version of its classic virtualization software named Project Photon. It’s a lightweight derivative of the company’s popular ESX hypervisor that has been engineered specifically to run application containers.

“At its core, it’s still got the virtualization base,” explains Kit Colbert, VMware’s vice president and CTO of Cloud Native Applications. Colbert calls Photon a “micro-visor” with “just enough” functionality to have the positive attributes of virtualization, while also being packaged in a lightweight format ideal for containers.

Project Photon includes two key pieces. One is named Photon Machine – a hypervisor software born out of ESX that is installed directly onto physical servers. It creates miniature virtual machines that containers are placed in. It includes a guest operating system, which the user can choose. By default Photon Machine comes with VMware’s customized Linux distribution named Photon OS, which the company has also designed to be container friendly.

The second major piece is named Photon Controller, which is a multi-tenant control plane that can handle many dozens, if not hundreds or thousands of instances of Photon Machine. Photon Controller will provision the clusters of Photon Machines and ensure they have access to network and storage resources as needed.

The combination of Photon Machine and Photon Controller creates a blueprint for a scale-out environment that has no single point of failure and exposes a single logical API endpoint that developers can write to. In theory, IT operators can deploy Project Photon and developers can write applications that run on it.

Project Photon will integrate with various open source projects, such as Docker for the container run-time support, as well as Google Kubernetes and Pivotil’s Cloud Foundry for higher-level application management. (Photon manages infrastructure provisioning while Kubernetes and CF manage application deployments.)

VMware’s virtual approach to containers (3:30)

VMware has not yet set pricing for either platform, but both will be available this year as a private beta.
The journey to containers

Not all customers are ready to go all-in on containers though. So, VMware is also integrating container support into its traditional management tools.

VSphere Integrated Containers is a second product VMware announced that Colbert says is a good starting point for organizations that want to get their feet wet with containers. For full-scale container build outs, Colbert recommends transitioning to Project Photon.

VSphere Integrated Containers is a plugin for vSphere, the company’s venerable ESX management software. “It makes containers first-class citizens in vSphere,” Colbert explains. With the plugin, customers are able to deploy containers inside of a virtual machine, allowing the container in the VM to be managed just like any other VM by vSphere.

By comparison, currently if a user wanted to deploy containers in vSphere, they would likely deploy multiple containers inside a single virtual machine. Colbert says that has potentially harmful security implications though: If one of the containers in the VM is compromised, then the other containers in the VM could be impacted. By packaging one container inside each VM, it allows containers to be protected by the security isolation and baked in management features of vSphere.

Kurt Marko, an analyst at Marko Insights, says VMware’s approach to containers could be appealing to VMware admins who are being pressured to embrace containers. It could come with a downside, though.

“Wrapping Photon containers in a micro-VM makes it look like any other instance to the management stack and operators,” Marko wrote in an email. “Of course, the potential downside is lost efficiency since even micro-VMs will have more overhead than containers sharing the same kernel and libraries.” VMware says the VM-overhead is minute, but Marko says it will take independent analysis to determine if there is a tax for using containers inside VMs.
Hold your horses

As VMware attempts to position itself as a container company, there are headwinds. First, it is still very early on in the container market.

“The hype far outweighs the utilization” at this point, says IDC analyst Al Gillen, program vice president for servers and systems software. He estimates that fewer than 1/10 of 1% of enterprise applications are currently running in containers. It could be more than a decade before the technology reaches mainstream adoption with more than 40% of the market.

VMware also hasn’t traditionally been known as a company that leads the charge when it comes to cutting edge open source projects, which is a perception the company is fighting. Sheng Liang, co-founder and CEO of Rancher Labs – a startup that was showcasing its container operating system and management platform at VMworld – said the container movement has thus far been driven largely by developers and open source platforms like Mesos, Docker and Kubernetes – he hasn’t run into a single container user who is running containers in VMware environments, he said.

Forrester analyst Dave Bartoltti says that shouldn’t be surprising though. VMware has strong relations with IT operations managers, not developers who have been most enthusiastically using containers. Announcements the company has made at VMworld are about enabling those IT ops workers to embrace containers in their VMware environments. Other management vendors, like Red Hat, Microsoft and IBM are equally enthusiastically embracing containers. VMware’s argument though, is that containers and VMs are better together.


MCTS Training, MCITP Trainnig

Best VmwareVCA-DCV Certification, VCAC510 Exams at certkingdom.com