The growing popularity of containers may cause some organizations to wonder about security-related issues: are containers as secure as virtual machines (VMs)? What can be done to help ensure that container environments protect data – especially when in production?

Addressing the first question starts with understanding the vulnerability differences between the two systems. Many have an impression that VMs are significantly more secure than containers because of their position within the hypervisor. However, VMs have their unique software stacks, including virtual device drivers and network protocol components, that can be prone to security threats.

Containers, too, have potential vulnerabilities. Specifically, containers increase internal traffic, often bypassing most traditional security tools, making them more vulnerable to outside threats. However, in a container-based infrastructure, the security tools can be centrally managed and patched on the host. Applying updates to the user level software in container-based solutions is much easier to centrally manage, and typically less disruptive to the user's activities compared to VM-based counterparts.

Best practices for protecting container data

Embracing container encryption is a crucial step to keeping containers safe. Data that is used by containers is encrypted at rest– ensuring that only encrypted data is stored on the disk. When the data is loaded into memory for user access, the data is automatically decrypted (and encrypted again when writing the data back to the storage destination).

Data used by containers can only be accessed using encryption keys via integration with a Key Management System (KMS), such as Safenet or an open source alternative. This added level of data protection delivers the enhanced security needed by today’s businesses, while allowing them to take advantage of benefits that containers provide.

In addition to encryption, the key to success in keeping container data safe is to remember the same best practices that apply to all operating environments, including hardening the OS and limiting attack surfaces. Among software and configuration related security factors, the security of operating system components and applications are the most important factors - as those vulnerabilities are typically easiest to detect and exploit; they are also greatest in number. Keeping the system up to date with security patches can provide the greatest security benefit, systems that allow that to happen easily with routine compliance are more secure than those that are harder to patch and more difficult to verify the compliance.

According to Forrester’s Ten Basic Steps to Secure Software Containers report, a key step in securing containers for production is to closely monitor container operations: “Check container signatures to make sure that what's been developed and approved is the same as what's been deployed to production.”

Paying close attention to the image management is another crucial component of container protection. Specifically, only using secured, signed images that remain consistent from development and testing to production helps provide container integrity. Image signatures validate authenticity and help in identifying any tampering.

Data protection is a key business requirement for leveraging virtualized solutions in production environments, especially when it comes to the usage of containers.

