Containers are not only boosting app development processes, they’re also making them more secure.
Just a year ago, containers were still the new kids on the block. What made them so exciting to companies as a new architecture for running core business applications? Instead of virtualizing an entire operating system using gigabytes of data to manage apps, a container could isolate a single app using only a few megabytes of data.
Today, 76 percent of IT leaders surveyed by International Data Corp. (IDC) report widespread adoption of containers in mission-critical applications. And, increasingly, developers are building new apps to be containerized from the outset, and even rebuilding legacy apps for containerization, says Doug Cahill, group director and senior analyst at Enterprise Strategy Group.
But IT leaders are also embracing containers for another less obvious reason—security. More than one in three tech leaders that IDC surveyed say that containers are not only boosting app development processes, they’re also, when used correctly, making them more secure.
Security Center Takes the Stage
The key to a container’s security benefit is simple: isolation.
“Thanks to isolation, containers can provide greater security than running your application as straight-up processes,” says Sebastien Goasguen, co-founder of serverless startup Triggermesh and author of Docker Cookbook.
That’s because one Linux kernel feature that’s core to creating containers—Linux namespaces—allows users to create separate execution environments, restricting what applications can and can’t do inside a system.
“You can give processes different network stacks, or you can give them different process namespaces,” says Goasguen. Isolation keeps any potential risks or vulnerabilities quarantined within individual containers, making them easier to identify and eliminate when necessary.
But better security isn’t a given. It’s possible to break that secure isolation if you’re not careful, Goasguen warns. Containers running on the same host machine share the same kernel, so processes may be less isolated if namespaces are shared with the host.
As with any other technology, security risks in container environments must be understood and managed. Limiting access to the container presents the biggest challenge, says Goasguen. If you’re running a container environment without strict user privileges, for example, you may compromise its trustworthiness.
“You absolutely need to keep following your security best practices, such as the principle of least privilege,” he says. When in doubt, use the role-based access control (RBAC) protocol for fine configuration of who can do what with container images, he recommends.
Containers + Cloud: A Recipe for Better Security
Containers’ newfound status as drivers of increased cybersecurity is recent and somewhat unexpected. Just last year, ESG surveyed IT professionals about the rapid adoption of containers, and respondents cited major cybersecurity concerns about containers. Their top worry? The workload security solutions they relied on didn’t support the same functionality for containers. That meant they would have to create a separate container security configuration—a costly and complex process.
But that concern is fading, says Cahill. While no single solution covers all aspects of security across the data center, cloud, and containers, major security vendors are increasingly updating their solutions to be infrastructure and server agnostic.
“In addition to ‘cloudifying’ their offerings to be purposeful for cloud infrastructure environments, vendors are also adding more depth of functionality and breadth of coverage inclusive of container environments,” says Cahill.
Ultimately, enterprises are eager for the flexibility and convenience that containers offer for their applications. They are also coming to recognize and appreciate the inherent security capabilities offered by container isolation, and will welcome the strides that are being made to take container security to even higher levels. The appeal of containers, says Goasguen, is in the “convenience of usage,” but it’s their inherently dynamic and isolated structure that’s “forcing development to be more secure.”