olly - stock.adobe.com

Tip

Best practices for container security in the data center

Container sprawl and container repositories can introduce new vulnerabilities to a data center. Here's what organizations should watch out for and how to stay safe.

Containers present unique security challenges that VMs and bare metal do not, and data centers must learn and adapt to those challenges.

Although containers might present certain unfamiliar security risks, data center admins who work with them can learn several effective ways to keep their container environments safe.

Container sprawl and repository vulnerability

Many data centers have security concerns regarding container sprawl -- much like data centers' concerns about VM sprawl when that technology was new. Developers can also deploy containers much faster than VMs, and the speed of deployment might mean those developers neglect to use proper security controls.

"The biggest issue with container security is that developers create containers and, in the process, mistakes are being made," said Neil MacDonald, vice president and analyst at Gartner.

The most common of those mistakes is the inclusion of software components with a known vulnerability, such as software that comes from GitHub or a container repository. Repositories can act as a source of built-in vulnerabilities when developers build apps on them. To keep environments safe, admins must secure the container image, understand the threats inherent to certain images or upgrade to safer images.

"You need to take the approach of limiting the tools and libraries and the agents that you have in your library," said Sandy Carielli, an analyst at Forrester Research.

Developers must adopt a more minimalist approach where it comes to containers. They should ensure that their software delivers only what they require and nothing more. Many developers like to add "nice to have" extras to their applications once they meet all basic functional requirements. However, eliminating anything an application doesn't require creates a much safer application.

"If you have something that is overstuffed with things people think they might need or want, it is more likely to have vulnerabilities," Carielli said. "That is why software analysis tool vendors are expanding into containers."

Containers in different environments

Organizations must manage many different container types and run environments, which creates additional vulnerabilities.

"You must be able to monitor all containers for all issues and configurations, [regardless of] container drift," Carielli said.

Data centers can consider several tools that monitor containerized apps in different runtime environments for configuration issues and changes. However, if a data center scans only for known vulnerabilities, it might miss other potential problems such as API keys or passwords lurking in code.

Licensing issues can also create problems. Although not a security issue per se, contaminated source code that originates with a commercial product or even a Bitcoin mining library could hide in container code.

How to increase container security

The easiest way to keep containers safe is to scan the containers early on in the development cycle and look for things that violate policies. Products from vendors such as Trend Micro, McAfee and Palo Alto Networks offer software composition analysis, which can scan for such vulnerabilities.

Data centers can also employ browser plugins that flag vulnerable components before a developer downloads them.

"Some vendors also offer what is essentially a scanning appliance, something like a firewall, that can block these downloads," MacDonald said. "Over time, the code repositories themselves will probably start to do a better job, without requiring third-party help."

However, scanning containers has costs associated and getting developers to buy in might present a separate challenge.

"Developers aren't asking for these capabilities, it is the security and compliance people that are realizing they have exposure if things aren't scanned before they are released," MacDonald said. But if scanning is done correctly, it's a win-win. "You avoid risky code going into production and you can also avoid slowing the developers down."

Dig Deeper on Data center ops, monitoring and management