Containers: Security Minefield — or Channel Goldmine?

No enterprise likes its workloads to be boxed in anymore, which is one of the reasons why containers are so hot. When IT needs to move an app from a physical server to a cloud, or from a developer’s machine to a test environment, containers such as those provided by Docker and CoreOS are the way many are choosing to go. But what does this mean for management and security?

Plenty. There’s also plenty of opportunity for channel partners with the know-how to help customers get it right.

While not a new concept – containers trace their roots back to capabilities in FreeBSD and Oracle Solaris 10 – they have caught on in mainstream computing in a big way, relatively quickly. DevOps.com recently surveyed 285 enterprises and found that 38 percent of them are already using containers in production, and 65 percent plan to deploy into production this year.

However, your customers are no doubt learning that the shift to containers isn’t without operational and security challenges: Respondents also cited significant barriers, including security (named by 61 percent), data management (53 percent), networking (51 percent), skills (48 percent) and storage (48 percent).

Container Security: Benefits & Challenges

Just to be clear, it’s not all gloom and doom when it comes to container security. When managed properly, containers provide a way for enterprises to patch more quickly and more often, and automated scripts make it easier to manage installed software components.

And, of course, containers make it more straightforward to segregate applications that would be sharing the same host.

However, the flexibility containers provide, if not properly managed, can also introduce security weaknesses. For instance, with containers, it’s easy to have many instances of applications within different containers, each with unique settings and potentially even patch levels. And the inherit separation of containers is typically not as strong as the segregation provided by traditional virtualization setups.

“Many enterprises just don’t know how to manage containers yet when it comes to good security operations,” says David Mortman, contributing analyst at the security research firm Securosis. “Additionally, when you start using containers, you are generating another stage of abstraction, which can be weaker.”

Docker is certainly aware of the security challenges around containers. At DockerCon 2015, the container platform provider made a number of important security announcements, such as its embrace of usernamespaces, which means it’s no longer necessary to set up privileged accounts to perform tasks. Docker containers now support certain types of additional authentication, and containers stored in Docker’s container repository can undergo vulnerability assessments.

This evolution – a technology moving from less secure to more secure – is normal. First, an enterprise technology appears and it’s declared hot, even though there’s little to zero consideration for security; as a result IT, operations and security teams must scurry to manage the new technology, learning as they go. It takes, generally, 12 to 18 months for security vendors to bring the necessary tools to market.

Remember how mobile-device management practices had to scramble to catch up with BYOD?

When it comes to security, maturity takes time. This is an opportunity for solutions providers to guide their customers through current options and fill any gaps with smart policies. An education program to prepare customer IT teams for the future of container security would be a win for clients, too.

Another minefield channel providers can help clients navigate: regulatory burdens as they relate to container deployments in production.

Industry and government regulators are always playing compliance catchup when it comes to radically new technologies. Mandates that demand not only compliance but the ability to report on and validate the presence of certain controls, such as identity and access management, systems monitoring and data segmentation, are tremendously complex tasks for customers, and a lucrative services engagement for partners.

Another area of guidance enterprises need now is how to automate any security testing that can be automated.

Andrew Storms, VP of security services at lean security consultancy New Context, agrees.

“Docker Bench for security, for example, can be used to automate necessary tests when deploying Docker containers into production,” Storms says. “And frankly, if enterprises are not automating container management and security testing, they are heading to a world of hurt.”

No doubt. And it makes a lot of sense. After all, DevOps and continuous integration and continuous deployment are all about automating what can be automated. There’s a market for channel providers that are able to help their customers identify weaknesses in how they’re deploying, managing and securing software containers.

George W. Hulme is an internationally recognized security and business technology writer. For more than 20 years Hulme has written about business, technology and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in Channel Partners, CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness and dozens of other technology publications.