Top 5 container mistakes that cause security problems

As enterprises increase their adoption of containers, they are also increasing the number of security mistakes they make with the technology.

Top 5 container mistakes that cause security problems
Jim Bahn (CC BY 2.0)

Given that many companies are still wrapping their arms around the potential of container technology and how to best leverage it, there is still a lot of experimentation with containers. 

Developers are working in their own sandboxes, setting them up on their laptops and then putting them into production. The issue, though, is that if containers are done without security measures in mind, you may not have the agility you want with the right controls.

As a result, unknown content can end up in containers, even with today's growing marketing container tools. Kirsten Newcomer, security strategist at RedHat, says before putting containers into production, you need to ask, "What’s the right process to manage this? How do I make sure things are controlled and managed as I would any other application?"

"You need to systematize the use of containers so that you can have the agility you want with the appropriate controls. It's up to security to partner with the lines of business to improve their security programs and agility," Newcomer said.

Containers allow you to package up and deploy everything in different environments. But companies must ensure they establish a solid foundation for security as they continue to identify strategies and workloads that make sense on a container platform, Newcomer said.

5 container mistakes to avoid

While working independently is an important skill, your containers also have to be able to play well with others. Here are five of what Newcomer calls the biggest container mistakes to avoid, particularly when playing in your own sandbox. 

  • Strong security is not always a priority. Securing containers means also securing the platform on which they are deployed. Containers are a nicely packaged process to deploy in a variety of places, but you need to secure the process because it is running on the platform where it is deployed. Some operating systems have done more work to enhance their ability to directly work with containers.
  • Focusing only on what is inside the container. Too often developers focus on securing what is inside the containers rather than the containers themselves. Tools help determine what is inside the container, but in addition to that, you want to evaluate attack vectors when deploying containers on an operating system, as well as security measures and protections for running on the OS. 
  • Running containers as privileged. It's been a long-standing best practice in security that you don’t want processes to run as privilege unless they need those requirements. Put processes and policies of least privilege in place, as there is no reason for apps and containers to run as root. 
  • Failing to integrate containers into a continuous security loop. This includes image provenance, patching, security scanning and policy-based monitoring. Developers love the control over the deployed environment, but operations and security have concerns about control on the deployed environment. Build security tools that check for known vulnerabilities that are integrated into the EI process. Then automate as much as possible to check to see if the images have newly discovered vulnerabilities. 
  • Neglecting to align enterprise security needs with container security goals. Digital businesses need to be able to update quickly. They need to be agile and responsive and have added capabilities to be able to respond to newly discovered vulnerabilities. Containers work with software-defined networking (SDN). SDN provides a unified cluster network that enables communication to the containers that should be talking to each other, but it also isolates those that should not be talking to each other.
NEW! Download the Winter 2018 issue of Security Smart