6 questions CISOs need to ask about containers

With the cloud being a big part of most companies, containers take on an important role in the network.

container security
Thinkstock

Shoring up containers

Container technology promises greater agility and efficiency when it comes to building and deploying applications, a critical ability in this age of zero tolerance for downtime and great expectations for capabilities on demand. But with any new technology comes new risk, and security professionals must be able to accurately determine the risk-reward balance of containers for their organizations. Lars Herrmann, general manager, Integrated Solutions Business Unit at Red Hat, poses six questions CISOs must ask when evaluating container platforms.

container security
Thinkstock

OS Security Issues

1. How can I ensure that security issues in the OS do not affect the containers running it, and vice versa?

It’s important to understand that containers are an operating system technology. But unlike virtual machines, containers use the OS more efficiently and in a different way. Each VM runs its own complete operating system, while containers share the same underlying operating system (the single host OS). There is also a portion of the OS inside the container, such as libraries needed for the application. This provides efficiencies and easy scale, but it can also present specific security challenges: Any vulnerability in the OS can affect the containers it is hosting, and any vulnerability in a container can affect the host OS. Look for a container solution that is built on a hardened operating system platform, supports capabilities such as isolation and vulnerability scanning, and effectively enables portability through consistency all along the container stack.

container security
Thinkstock

Standardization

2. What security model and/or policies are applied?

Consistency is key to both container efficiency and security. To use the shipping container metaphor, shipping companies can easily exchange containers because the container dimensions comply with international standards. Similar standards need to be established for software containers and their applications, and CISOs must look for solutions that adhere to those standards with fidelity. It’s also important not to get caught in the trap of thinking that open standards equal interoperability. Any potential container solution must be vetted for its ability to offer portability--i.e., consistency. This is especially important in terms of the container host, container image, orchestration and delivery.

container security
Thinkstock

Trusted content

3. How can I determine if content can be trusted?

As the use of containers increases, especially among different entities, there must be some methodology in place to ensure that the content of a container can be certified, and that any changes made are accounted for. Using containers from a trusted ecosystem, one in which the ecosystem owner certifies/vets that container content is free of known vulnerabilities and will work within your existing IT mix, is one way to achieve a solid foundation of trust for container deployments.

container security
Thinkstock

Change management

4. What’s the worst that can happen when images used to build a container are changed?

Undocumented changes can have a decidedly negative ripple effect. CISOs need to pursue consistency not just with containers but also in the surrounding environment, including self-service portals and lifecycle management. Containers, by their nature, are not static, but enforcing a standardized level of consistency is key to keeping changes from being all consuming.

container security
Thinkstock

Third-party products and services

5. What third-party products and services are being used/available to help lock down containers?

Partnerships are key when it comes to containers. Look for platform providers that can demonstrate strong, strategic partnerships with both the open source communities that are working to build and improve container technology and vendors that fill any gaps in the platform provider’s solution. This also highlights the need for seamless integration of third party container-centric solutions, with the proper policy control and management in place, to help provide consistency across a container implementation.

container security
Thinkstock

What’s next?

6. What can we expect to see one year down the line?

While containers are not a new technology, they are being used in many new ways. Any vendor or community a company works with should be able to articulate in an understandable way what its container plans are through the year ahead. Things are still very much in flux in the container world, but any container platform/solution providers should be able to offer thought leadership and direction.