Containers create potential security minefield for the CISO
Thu 4 Jun 2015
For a long time now I have written and spoken extensively about the need to look at security as a ‘building block’ in the architecture of new cloud projects. Twelve months ago I recorded a radio session with Dan Walsh of Red Hat about the idea that containers don’t actually contain, which he has queried with the Docker community.
Shortly after the recording I had the opportunity to question the same idea with the development leads at Docker.
A casual glance from a security professional would suggest that DockerHub is an unlocked toy shop on Christmas morning. Was it up to Docker to assure the validity of the images? Or did it fall to the vendor partner to build security controls and patch levels into the images, taking responsibility for any risks and exploits that might appear as CVE listings over the life of the image?
From the point of view of a security auditor, Docker’s answers seemed rather glib. The company has done a fantastic job of creating an ecosystem to promote growth and awareness, but developing long-term billable revenue could be more problematic unless crucial steps are taken to underpin a security framework for the lifecycle of the images on DockerHub. Considering the level of saturation that Docker has achieved, the answers to these concerns should have become very clear by now.
A study late last week from Banyan seems to lend credence to general concerns about Docker security. Whilst the methodology behind the article’s theories may be open to question, it’s hard to discount the evidence that there is much left undone in the security ambit of the Docker network.
The emergence of new tooling and automation technologies allow for increasingly rapid provisioning and ever-faster builds, but lack anything near to an appropriate level of security validation. Companies are currently rushing to push proofs-of-concept in the container space, casting a wide net for applications and services which are suitable for new micro-container architectures – and for those which are already adapted to the container space. But the more that this ‘gold rush’ takes hold, the more we are likely to see the continuing erosion across organisations of quality assurance and change controls.
It’s interesting to note that comparable projects such as Maven and OpenShift devote significant attention to the sanctity of the security lifecycle – a philosophy of seeding security as a baseline standard. This may seem arcane to some, but it’s just the kind of devotion to process that gets you to the finish line without pages of mitigation to pass on to your auditor – or that uncomfortable background paranoia that you’re going to get rooted down the line.
The views expressed on this blog are Richard’s personal views and do not reflect or represent the views of his employer, Red Hat.