Pei Ling Hoo - Fotolia


An introduction to cloud container security

While the benefits of cloud containers are readily apparent, there aren't clear guidelines on how to secure the technology. Expert Rob Shapland offers pointers on how to stay safe.

The rise of Docker, Linux LXC and other container providers has many asking the question of whether cloud container...

technology is secure enough for enterprise use.

Sure, it's less mature than traditional hypervisor-based virtual machines, largely because the technology is still fairly immature. Yet, while the performance benefits are obvious, not much has been discussed about container security.

What are cloud containers?

Containers differ from technologies such as VMware and VirtualBox in a number of ways.

First of all, containers generally have one purpose, which is to host a Web server or a database. Technologically, the fundamental difference between containers and virtual machines is that virtual machines emulate virtual hardware and require a hypervisor, and therefore require much more disk space and processing power than cloud container technology. As a result, cloud containers are appealing components for cloud providers' security programs. Docker, for example, has partnerships with all the major cloud service providers, including Amazon, Microsoft and Google.

Container technology is undoubtedly incredibly useful -- it can provide improved portability and customization while simultaneously reducing resource consumption and costs -- but as is the case with many "buzzword" technologies, security often takes a backseat.

Cloud container security issues

The biggest issue with containers is that they do not have the same security boundaries virtual machines have. Theoretically, if a hacker can find an exploit in the underlying operating system, he can leverage that to gain access to the containers as well. The same is theoretically possible in reverse; a hacker could potentially exploit the container and gain access to the underlying server.

To make matters worse, Docker and other container technologies employ some functions that run as the "root" superuser (Docker said it addressed root privilege concerns in release 1.8, which was introduced last month). This could have even larger implications in cloud provider environments: Imagine a situation where all cloud services were deployed via containers and a hacker was able to break out of one container and access other containers on the same hardware. The impact of this could be devastating for cloud providers and cloud users alike. Therefore, the deployment of container technology needs to be considered carefully.

Containers' ease of deployment and lower resource requirements -- and, therefore, cost -- should be taken advantage of.

Another problem with containers is the actual creation process. For example, if an enterprise creates its own container, it will only be as secure as the organization's own ability; if the proper staff is not on premises to build, secure and manage it, the container may not deliver its perceived benefits -- using a premade container may be better. However, this comes with its own caveats. If an enterprise acquires a container from a repository, it may not know exactly what is being downloaded; for example, what if the container has key logging technology that uploads usernames and passwords to a remote server?

These security issues are all the more prevalent because limited research has been conducted into container security. Additionally, there are no central guidelines for how to secure them.

Simply put, there is still work to be done before containers can be considered to be as secure as virtual machines. However, this work is ongoing. Docker released a major security update in August 2015 that included a new feature called Docker Content Trust that aims to alleviate the concerns of how to safely deploy containers by providing a public-key-based signing mechanism for container repositories.

Best practices for securing cloud containers

If an enterprise is obtaining Docker containers from public repositories, it should look for those that are signed by the new Docker Content Trust system to ensure it is downloading a legitimate container. Other key points to note: Be sure to disable unneeded functionality, and make sure only trusted users can control the daemon that controls the container. It's also worth enabling the inter-container firewall to restrict interaction between different containers.

As they become more secure, containers should have a place in most organizations. Their ease of deployment and lower resource requirements -- and, therefore, cost -- should be taken advantage of where the criteria for the deployment matches the benefits of containerization. For example, IT teams looking to deploy database systems can easily acquire a MySQL container that has all the dependencies installed and ready to go, vastly reducing the time it takes to deploy the system. The most likely scenario will be for containers to be featured alongside virtual machines rather than replace them. There seems to be a place for both technologies in enterprise deployments.

In conclusion, containers are an excellent technology and should be considered for business adoption. Their use alongside virtual machines can save time and money, but their deployment needs to be conducted carefully -- and from reputable sources.

About the author
Rob Shapland manages the penetration testing team at First Base Technologies and has over seven years' experience conducting penetration tests for many companies, from small businesses up to major international organizations. He specializes in simulating advanced cyberattacks against organizations' networks, combining social engineering techniques with technical attacks. Shapland is also a regular speaker at events and conferences around Europe.

Next Steps

Read an intro to Docker and its effects on cloud security

Learn the cloud security considerations for Docker hosting

Is container virtualization just a fad?

Dig Deeper on Cloud Computing Virtualization: Secure Multitenancy - Hypervisor Protection