Containers and Security

For Data Networking geeks like me, the word “container” conjures up images that are a far cry from the boxes that are used for storing food items at home. Or the huge boxes that are used to ship products from one port to another. Or lunch boxes that we carry to schools and offices. Nope. Containers, for me, are these amazing applications in a miniaturized form that can be ported from one place to another and be re-used just like they were at the place they started from. Now, if that sounds remarkably like I were talking about food, it is not because I am feeling hungry. The containers in the software world are used to transport any software – an OS, an application, a firewall or a service from one host to another. And given their micro size, when compared to the traditional huge sizes of the software applications and files, it is no wonder that since they were discovered/ introduced many years ago, they are finding an increasing number of adopters in the industry. A survey by Datadog revealed that 25% of companies had adopted docker in 2018. If the trend from 2015 through till 2018 holds good, then we are looking at 28-30% of companies that have adopted Docker.

With that kind of adoption rates, the thought that comes to mind is – “what about Security?” Today, more than ever, companies cannot afford to be lax about security. There are a few basic security requirements that companies deploying containers must consider:

1. Authenticity of the content: How can it be ensured that the content in a container that is downloaded from the Docker Hub, or that is built and deployed within a company is authentic? That there is no malware, no virus lurking within the code? Declaring the contents that are placed in a container are a must and checked at the port of entry by Customs, in the case of physical boxes shipped overseas. Who is playing the role of the Customs office at the companies deploying these containers?
2. Exposure of underlying host parameters to deployed containers: Of course, containers are boxed items. What if there is content in there that is designed to percolate through the box and affect the underlying carrier? Huge losses can be incurred if the underlying host is infected, be it physical or for the case in point, the host OS/ platform. The degree of access to the host platform parameters, be it the networking cards, user data, filesystem, etc. must be controlled and regulated.
3. Data Integrity: The advantage of portability of containers can quickly turn into a security risk, if the integrity of the content is not maintained. Introduction of a change in the container application must be keenly guarded and regulated. CI/ CD pipelines are particularly vulnerable as introduction of an unwanted change in one of the containers in the pipeline can adversely impact downstream processes.
4. Networking between containers and all the risks associated with data networking: Once we have multiple containers running in a platform, we would want these containers to talk with each other. And when Data networking enters the picture, the associated risks such as Denial of Service, Man In the Middle attacks, etc. are present. Tools and containers, perhaps, that anticipate and prevent such attacks are needed. There are companies that specialize in Networking Security. Juniper Networks is one such company offering a containerized firewall.

While I have listed just 4 security concerns with Containers, I am sure there are many more. Use cases for containers abound and as more and more companies adopt and deploy this technology, security will emerge as a prime concern. Companies that can address these challenges with innovative and potentially disruptive methods will do well.

Do share your thoughts on the container market and any use cases that you are aware of. I would love to learn more!