What Is a Secure Container?

Container platforms are the new kid on the coding block. They are the latest iteration in programming architecture and generally considered to be among the most innovative and efficient, to date. Containers are simple, lightweight, portable, and agile — but are they secure?

The container platform’s alleged lack of maturity coupled with its rapid adoption has raised security concerns. According to Red Hat, a secure container is dependent on three factors. 

• Securing the container itself and the application it hosts
• Securing the deployment environment and infrastructure
• Integrating enterprise security tools and meeting/enhancing existing security policies

What steps should be taken to secure containers?

Container platforms as an architecture may be new, but the concepts that run it are not. Security standards and policies on those concepts have long been established. In cybersecurity, the strength of the chain is the weakest link. Let’s start with the containerized application itself. On the topmost app layer, it contains the code of what the container does; due to its lightweight architecture, the persistent storage (function) is (normally) on the cloud. Encryption and authentication standards have long been set on how to interface with an offsite database.

Containers also have a dependency layer to reduce the code necessary to run the container. The libraries which the container code depends upon may be insecure or outdated. There are also coding standards to mitigate this risk.

What are the potential risks to the environment and infrastructure?

Container platforms are an evolution of the virtual machine. They are designed to be cloud-native and work in a virtualized environment.  But cloud computing is run on server clusters that may be based on various locations.

For example, public cloud servers are maintained by third-party companies and have their own policies that may operate differently from your desired configuration.

In fairness to them, having those “third-party” companies handle your cloud infrastructure is not necessarily a bad thing. Many of those companies are the biggest IT companies in the world such as Microsoft, Amazon, Google, Alibaba, IBM, Oracle, Salesforce, etc.   They run their own multi-billion dollar operations in those servers concurrently with yours. So you can expect them to take really good care of their infrastructure, and yours with it.

These big companies can afford the best technical talent, tools, and security teams in the world. It is a matter of you choosing the right vendor for your needs.

There is a risk of the environment changing outside your control. However, because containers are portable, expect minimum or zero impact on your system. It wouldn’t hurt to coordinate with their support channels to optimize your configurations in-line with their policies.

Integrating enterprise-level security in your containers

Containers are lightweight. By definition, that means they have fewer lines of code (as opposed to the millions of lines of code that behemoth systems of the past had). They rarely have internal cybersecurity checks.

That’s because container goals (speed, portability, and agility) are not aligned with security goals. It took a while before container-specific security tools were developed and matured.

We have gotten to a point where there are enterprise-level container-specific security tools available in the market to search and monitor for vulnerabilities of container-based systems.

Companies simply would have to use them and comply with the latest security standards, just like everyone else.

Why use secure containers?

It is a given to protect your system against hackers. You lock the door to your house, your car, some people lock their phones. Why not lock your business from people with malicious intent?

Containers are new, but the infrastructure that supports it isn’t. Security protocols are in place (and updated) to protect it. Now that enterprise-level tools, conventions, and standards are available to protect containers, it is mandatory for IT departments to use and maximize them.