Few technologies have been as transformative on the IT landscape as containers. Yet, despite being around for nearly two decades, the term still leaves many a technologist scratching their heads. While DevOps engineers and agile developers are likely well-versed in their nuances by now, the same is untrue of many security experts I speak with. They typically fall into one of two camps: those that don’t fully understand containers and the risks they pose and those that do but are unsure how to secure them.
A container is a modern virtualization method that uses a single kernel to power multiple applications simultaneously. They contain all the parts and elements needed to run and execute the application contained within. Think of them like IKEA furniture for software – they don’t assume you have any particular hardware handy, nor any tools. If you have hands and some ability to read instructions, you can build that piece of furniture with only what is in the box and use it in your environment.
Countless other bylines and white papers exist to explain the numerous benefits and cost savings containers offer, stemming from their portability, reproducibility, versatility, and being able to run directly on a virtual machine without the need for hypervisors or multiple software licenses. It is sufficed to say, because of their design, they offer many benefits for software developers and the end-users alike and are highly desirable for modern IT solutions.
New Technology = New Attack Surfaces = New Security Problems
However, for all their benefits, containers also present numerous frustrating security challenges. First, containers are at their best when they are deployed to elastic cloud environments, whether private, private/public hybrid, or all-public. That, combined with their portability, fleeting nature, loose access control and general lack of visibility into multi-cloud environments, makes containers hard to manage and introduces a whole new attack surface to consider.
Another problem with containers stems from the mandatory considerations of various regulatory requirements such as those from NIST, FedRAMP, Health Insurance Portability and Accountability Act (HIPPA) and others when dealing with complex, hybrid cloud environments in the federal government. Ensuring the numerous underlying compliance requirements are met has grown beyond burdensome for security teams who simply don’t have the bandwidth to keep up, especially amid the next point.
Because containers have only recently experienced rabid popularity, many organizations don’t have the right security tools to adequately monitor and secure containers and the tools that do exist exclusively secure the container alone, not the rest of the technology stack.
As a result, organizations either don’t have the right tools or are forced to adopt multiple security platforms, making for a more complicated security solution even as IT operations gain a boost in efficiency. They face these challenges amid a growing talent gap and constantly shifting compliance and regulatory environments. Organizations simply cannot realize the benefits of container efficiency if forced to incur added security costs, ongoing compliance battles and short staffing challenges.
Containing Container Risks & Costs
How can cost- and security-conscious organizations, like federal agencies, leverage both the benefits of containers while also ensuring security and continuous compliance?
One of the most important challenges to container security is monitoring where containers live, what they contain, and how they move and interact across the bounds of cloud infrastructure.
Agencies and organizations need to adopt holistic cloud security solutions that secure both containers as well as the environments on which they run and can also look into the container to see what it actually holds. This trifecta of security capabilities is too often missing in current federal security stacks.
Meanwhile, the lack of cybersecurity professionals is a frequent federal refrain when addressing the issue of security. The best solutions will also automate the ability to detect, analyze and then secure containers and other cloud infrastructure from a single platform, easing the burden on security teams struggling to manage their sprawling ecosystems. They will ensure automation of compliance and will help agencies recognize compliance as an imperative of equal import to intelligence and threat intelligence solutions.
Both cloud and containers are here to stay and they will only grow more prolific in coming years – the much-covered Joint Enterprise Defense Infrastructure (a.k.a. JEDI) contract is a stunning example of just how big cloud is and will become.
To fully leverage the benefits of cloud, containerization and agile development, agencies will face a growing need for a single cloud security solution, one that does not get in the way, and one that can grow with the agency as it moves from on-premises infrastructure into public cloud. Realizing that, agencies will finally be able to reduce both risk and the spiraling costs associated with multiple point security solutions.