Containers are more secure than apps running on a bare OS and organisations that like not being hacked therefore need to seriously consider a move, according to analyst firm Gartner.
Analyst Jeorg Fritsch, in a new document titled How to Secure Docker Containers in Operation says “Gartner asserts that applications deployed in containers are more secure than applications deployed on the bare OS” because even if a container is cracked “they greatly limit the damage of a successful compromise because applications and users are isolated on a per-container basis so that they cannot compromise other containers or the host OS”.
Which is not to say that containers are perfect: the paper acknowledges that they possess “... innate security properties that make them vulnerable to kernel privilege escalation attacks” and are therefore “not the right tool for high-risk-assurance isolation.”
The paper nonetheless advocates that organisations “Benefit from the security of Linux containers by using a 'container first' approach” and “Deploy internet-exposed applications in Docker containers with best-practice security whether or not you do CI/CD/DevOps.”
Which is not to say containers are a magic security fix. As the paper's name implies, Docker needs to be done right in order to deliver its security benefits. Doing it right means hardening the host on which Docker runs in accordance with Docker's own guidance, then considering third-party Docker security products from the likes of Aqua Security, CloudPassage, Twistlock and Weave. Mastering logical security zoning and network isolation is a must. You'll also need to wrap your head around microservices routing, so that when you start to build apps comprised of containers chatting to each other they do so securely.
You'll also need to understand kernel controls to ensure your containers get the right level of access to their host's kernel.
“In the Linux OS and in Linux containers, every system call is a direct interaction with the kernel,” Fritsch writes, noting that's “the very same kernel that all segregation features depend on. System calls are a signicant attack surface, where nothing must go wrong.”
Overall, however, the paper suggests that organisations consider a move to containers. And not just to keep up with the DevOps crowd. ®