In the wake of an earlier survey that revealed one-third of developers in enterprise IT organizations have now adopted containers, Forrester Research is now making available a report that defines a set of best practices for container security.
Sandy Carielli, a principal analyst for Forrester Research, says with another 25% of respondents reporting they either want to plan to adopt containers this year, it is only now a matter of time before container security becomes a much bigger concern.
Most cybersecurity professionals still don’t fully appreciate how different securing highly ephemeral containers is from securing virtual machines, which, by comparison, are fairly static. Due to the ephemeral nature of containers, she notes, cybersecurity teams are never going to be presented with a list of containers that need to be secured. By the time such a list was created, most of those containers would no longer exist. A container is not simply a miniature version of a virtual machine, Carielli says.
As such, it’s not feasible to extend existing cybersecurity policies to container environments without adding new tooling that, among other things, creates uniform templates and eliminates manual processes, she adds.
Savvy IT organizations, she says, are moving toward a model where some members of the development team become cybersecurity champions. Policies are still defined by the cybersecurity team, but their implementation is left to the development team.
The challenge is proving development teams with the tooling required to implement those policies. Many organizations are now adopting technologies such as integrated development environments (IDEs) that can automatically identify instances of insecure code. At the same time, container security scanning tools are being integrated with continuous integration/continuous delivery (CI/CD) platforms to identify any potential runtime security issues before containers are deployed in a production environment.
Collectively, those tools are laying the foundation for a set of best DevSecOps practices that will redefine the sometimes contentious relationship between developers and cybersecurity professionals, Carielli says.
Container security issues have not reached the point where they have become an IT crisis. It is clear, however, there is now a greater sense of urgency. Developers are adopting containers at a faster rate to build microservices-based applications that not only are faster but also run at higher levels of scale more cost-effectively.
Even as the number of microservices-based containers continues to scale, however, cybersecurity teams will need to continue to secure existing monolithic applications. Many of those apps might one day give way to microservices, but within many enterprise IT organizations that process could take a decade or more.
In the meantime, it’s not a question of whether cybersecurity concerns are inhibiting container adoption; rather it’s a question of whether adoption of containers in the absence of best DevSecOps practices might lead to a breach. Of course, there’s nothing quite like a data breach to focus the cybersecurity mind. However, the hope is that an ounce of container security prevention now will eliminate the need for a pound of proverbial cure later, which is sure to be a lot more difficult to implement retroactively.