Do containers make software security easier or more difficult to achieve? That depends on your perspective. In some respects, container security is inherently more difficult than virtual machines, and in others it is fundamentally easier.
Let’s consider three ways in which container security is challenging, and three other factors that make container security easy to achieve.
Container Security Challenges
On the challenges front, consider the following:
- Containers are complex. No matter how exactly you build your containerized environment, which components you use or whether you are running a stateless or stateful app, any production-quality container environment is almost certainly going to be very complex. It will have multiple fast-changing components and layers. The complexity and dynamism of containerized applications makes them inherently difficult to manage from a security standpoint.
- Lack of isolation. One of the nice things about virtual machines is that if an attacker takes over your virtual machine, the damage he can do is limited to that particular virtual machine. This is not so with containers. An attacker who compromises one container could potentially gain access to others on the same host. The lack of strict isolation between containers is another inherent container security challenge.
- Ecosystem complexity. The tools you use to build, deploy and manage your containers probably come from multiple upstream sources. This makes containers different from virtual machines, where one vendor (such as VMware) or software distribution provider (such as Canonical or Red Hat) typically provides a single source for all of your virtualization software. When you are dealing with multiple independent components that do not originate from a single source or repository, the responsibility is on you to ensure that all of those components are up-to-date and properly secured.
How Containers Help Improve Security
Fortunately for container admins, not everything on the container security front is bad news. In other respects, containers can make it easier to deploy software securely:
- Immutable infrastructure. Containers are a perfect building block for immutable infrastructure. In an immutable infrastructure architecture, components are totally replaced when they need to be updated, rather than modified while they are still running. This approach reduces the risk of introducing a bug that could lead to a security vulnerability. It also makes it easier to roll back a deployment quickly and cleanly if a security problem arises.
- Fast updates. Containerized applications are typically easy to update quickly. What’s more, you can update particular containerized microservices without touching other services in the application. When you can update software quickly and easily, you can apply security patches more effectively.
- Open ecosystem. Many (though not all) of the tools in the container ecosystem, such as Kubernetes and Docker itself, are open source. If you subscribe to the logic that open source code is more secure because many eyeballs make bugs shallow, as Eric S. Raymond would have it, then this is a good thing from a container security perspective.
The bottom line: Overcoming the inherent security challenges of containers is difficult, but it’s certainly possible—especially when you leverage the built-in security advantages that containers confer.