Before we get into what a container is, we need you to understand the difference between today’s term ‘Container’ and the previous term CyberHoot published ‘Hypervisor‘. Knowing the difference between these two concepts will help you deepen your understanding of modern virtualization technologies. Put simply:
- Virtual machines and hypervisors abstract away hardware and enable you to run operating systems
- Containers (technically container engines) abstract away operating systems and enable you to run applications.
A Container is a piece of software where application code is packaged with its libraries and systems in similar forms so that it can be run anywhere, whether on a desktop, laptop, or the cloud. Containers take advantage of a form of operating system (OS) virtualization where pieces of the OS are used to both isolate processes and control the amount of CPU, memory, and disk that those processes have access to. Containers are small, fast, and portable because unlike a virtual machine, containers don’t need to include a guest OS in every instance and instead leverages the features and resources of the host OS.
Additional Reading: DevOps Teams Fail To Secure Software Container Environments
What does this mean for an SMB?
1) Develop, run and support applications made possible by containers
Adopting containers might be disruptive to your existing development methodologies and your current practices might not be directly applicable in a containerized environment. Encourage, educate, and train your development team to rethink how they code and operate. Consider putting your developers through OWASP’s Top 10 insecure coding practices training to avoid these common mistakes.
2) Use a container-specific host OS instead of a single-purpose Host to reduce attack surfaces
A container-specific host operating system is a minimalist OS designed to only run containers. Using these OSs considerably reduces attack surfaces.
3) Only group containers with the same purpose, sensitivity, and threat posture on a single host OS kernel
Segmenting containers helps provide additional defense. Grouping containers in this manner makes it more difficult for a hacker to expand compromises to other groups. It also increases the likelihood that compromises will be detected and contained.
4) Adopt container-specific vulnerability management tools and processes for images
Traditional security tools make many assumptions that are misaligned with a container model causing them to be unable to detect vulnerabilities within containers. Adopt tools and processes to validate and enforce compliance with security configuration best practices for images, including centralized reporting, monitoring each image, and preventing non-compliant images from being run.
5) Consider using hardware-based countermeasures to provide a basis for trusted computing
Extend security practices across all tiers of the container technology by basing security on a hardware root of trust, such as the Trusted Platform Model (TPM).
6) Use container-aware runtime defense tools
Deploy and use a dedicated container security solution able to monitor the container environment and provide precise detection of malicious activity within it. The most efficient way to ensure security at scale is to integrate security functions and procedures into each phase of development and deployment.