Container Sprawl: The Next Great Security Challenge
Published 11/18/2016
By Jon King, Security Technologist and Principal Engineer, Intel Security
And you thought virtualization was tough on security …
Containers, the younger and smaller siblings of virtualization, are more active and growing faster than a litter of puppies. Recent stats for one vendor show containers now running on 10% of hosts, up from 2% 18 months ago. Adoption is skewed toward larger organizations running more than 100 hosts. And the number of running containers is expected to increase by a factor of 5 in nine months, with few signs of slowing. Once companies go in, they go all in. The number of containers per host is increasing, with 25% of companies running 10 or more containers simultaneously on one system. Containers also live for only one-sixth the time of virtual machines. These stats would appear to support the assertion that containers are not simply a replacement for server virtualization, but the next step in granular resource allocation.
Adequately protecting the large number of containers could require another level of security resources and capabilities. To better understand the scope of the problem, think of your containers as assets. How well are you managing your physical server assets? How quickly do you update details when a machine is repaired or replaced? Now multiply that by 5 to 10 units, and reduce the turnover rate to a couple of days. If your current asset management system is just keeping up with the state of physical machines, patches, and apps, containers are going to overwhelm it.
Asset management addresses the initial state of your containers, but these are highly mobile and flexible assets. You need to be able to see where your containers are, what they are doing, and what data they are operating on. Then you need sufficient controls to apply policies and constraints to each container as they spin up, move around, and shut down. It is increasingly important to be able to control your data movements within virtual environments, including where it can go, encrypting it in transit, and logging access for compliance audits.
While the containers themselves have an inherent level of security and isolation, the large number of containers and their network of connections to other resources increase the attack surface. Interprocess communications have been exploited in other environments, so they should be monitored for unusual behavior, such as destinations, traffic volume, or inappropriate encryption.
One of the great things about containers, from a security perspective, is the large amount of information you can get from each one for security monitoring. This is also a significant challenge, as the volume will quickly overwhelm the security team. Security information and event management (SIEM) tools are necessary to find the patterns and correlations that may be indicators of attack, and compare them with real-time situational awareness and global threat intelligence.
Containers provide the next level of resource allocation and efficiency, and in many ways deliver greater isolation than virtual machines. However, if you are not prepared for the significant increase in numbers, connections, and events, your team will quickly be overwhelmed. Make sure that, as you take the steps to deploy containers within your data center, you also appropriately augment and equip your security team.