Before we get into what a container is, we need you to understand the difference between today’s term ‘Container’ and the previous term CyberHoot published ‘Hypervisor‘. Knowing the difference between these two concepts will help you deepen your understanding of modern virtualization technologies. Put simply: 

  • Virtual machines and hypervisors abstract away hardware and enable you to run operating systems
  • Containers (technically container engines) abstract away operating systems and enable you to run applications.

A Container is a piece of software where application code is packaged with its libraries and systems in similar forms so that it can be run anywhere, whether on a desktop, laptop, or the cloud. Containers take advantage of a form of operating system (OS) virtualization where pieces of the OS are used to both isolate processes and control the amount of CPU, memory, and disk that those processes have access to. Containers are small, fast, and portable because unlike a virtual machine, containers don’t need to include a guest OS in every instance and instead leverages the features and resources of the host OS.

Source: IBM, NetApp, RedHat, TripWire

Additional Reading: DevOps Teams Fail To Secure Software Container Environments

Related Terms: Hypervisor, Virtual Private Network (VPN)

What does this mean for an SMB?

SMB owners and most staff don’t need to be aware of containers and the security surrounding them. IT staff or third parties who manage your systems should understand how virtualization, hypervisors, and containers work. They also need to understand the proper way to secure this technology. Security measures include securing the individual applications run in a container to secure the infrastructure they run on. Container security needs to be integrated and continuous. CyberHoot recommends putting the following plans into place: 
1) Develop, run and support applications made possible by containers

Adopting containers might be disruptive to your existing development methodologies and your current practices might not be directly applicable in a containerized environment. Encourage, educate, and train your development team to rethink how they code and operate. Consider putting your developers through OWASP’s Top 10 insecure coding practices training to avoid these common mistakes.

2) Use a container-specific host OS instead of a single-purpose Host to reduce attack surfaces

A container-specific host operating system is a minimalist OS designed to only run containers. Using these OSs considerably reduces attack surfaces.

3) Only group containers with the same purpose, sensitivity, and threat posture on a single host OS kernel

Segmenting containers helps provide additional defense. Grouping containers in this manner makes it more difficult for a hacker to expand compromises to other groups. It also increases the likelihood that compromises will be detected and contained.

4) Adopt container-specific vulnerability management tools and processes for images 

Traditional security tools make many assumptions that are misaligned with a container model causing them to be unable to detect vulnerabilities within containers. Adopt tools and processes to validate and enforce compliance with security configuration best practices for images, including centralized reporting, monitoring each image, and preventing non-compliant images from being run.

5) Consider using hardware-based countermeasures to provide a basis for trusted computing 

Extend security practices across all tiers of the container technology by basing security on a hardware root of trust, such as the Trusted Platform Model (TPM).

6) Use container-aware runtime defense tools

Deploy and use a dedicated container security solution able to monitor the container environment and provide precise detection of malicious activity within it. The most efficient way to ensure security at scale is to integrate security functions and procedures into each phase of development and deployment.

To learn more about Containers, watch this short 3 minute video:

Are you doing enough to protect your business?

Sign up with CyberHoot today and sleep better knowing your

employees are cyber trained and on guard!

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.