Containers: has their ship come in?

Leaky containers make a mess

Although containers are meant to be independent and isolated from each other and the host system, Red Hat’s McCabe says security is not yet foolproof enough for mass adoption in the business world.

“This is likely because, as a new technology, the full scope of potential security issues around Linux containers is still being uncovered. Containers tend to operate under a traditional security model and have core features in place that will provide a certain level of protection, but these don’t always provide the complete isolation of applications – simply put, ‘containers don’t always contain’, ” says McCabe.

“This means that improperly implemented or even malicious containers can cause significant damage, just like any other poorly-coded or malware-harbouring application. Another level of separation is required to fully secure containers and their environment.”

McCabe puts forward three developments that he hopes will enhance security and take containerisation to the mainstream. First is knowing what’s inside container: “When implementing containers, establishing trust is critical… Companies need to be sure that their containers’ contents will not introduce malicious or vulnerable code into production environments and that affected containers are identified quickly and replaced to maintain high security levels.”

Second initiative is to implement management tools. “Companies must have management tools in place to track containers across all platforms and quickly respond to threats and patching or replacement issues. Containerised applications that can be replaced with minimum effort at a large scale contribute to this secure framework.”

The third plan of attack is to use reliable “advisers”. 

“IT organisations need to verify a container’s source, track the container when it is being deployed across different platforms and make sure the container receives the support and updates required throughout its lifecycle,” says McCabe. “Reliable advisers will be able to provide this ’chain of trust’, from the container creation, throughout delivery, until the end of the lifecycle. These advisers can provide both the technology and the ecosystem that supports containerisation and that makes containers enterprise-consumable.”

A natural evolution

Despite the security issues to be ironed out, McCabe says that containers are “a natural evolution”. 

“It’s about time people who are spending hundreds of thousands, if not millions, of dollars on a hypervisor have a good think about putting that money towards developing better business outcomes rather than keeping the lights on.”

ASE’s Sjoquist agrees: “The scalability that containerisation gives customers is something that [traditional] hosting can’t provide.”

Perhaps with containers, we can all combat cloud fatigue.

Next: Containerisation on Windows