Advanced Computing in the Age of AI | Thursday, March 28, 2024

‘Can Containers Contain?’ Remains Top Security Issue 

Among the stumbling blocks to scaling application container technology are lingering concerns about security in production environments. Secure deployment of Docker and other container workloads in production was among the priorities of the Open Container Initiative launched in June.

"Security properties of containers are a largely unexplored field and there is a lot of controversial discussion about whether containers do contain or not," Joerg Fritsch, a Gartner research director, noted in a recent blog post. "At times it seems that the discussion is driven by (hidden) business agendas, partnerships and financial dependencies rather than by plain technology."

Fritsch concluded with a key rhetorical question: "Can you make your containers contain or not?"

With security issues front and center, a founding member of Open Container Initiative claimed Wednesday (July 29) it can "facilitate" secure deployment of container workloads in production. San Francisco-based Apcera Inc. touts its Hybrid Cloud Operating System as "bridging the development-production gap" by providing a platform that enforces security policies.

That approach, according to Jim Reno, Apcera's new chief security architect, "enables secure workloads and containers to run smoothly in enterprise production environments." The Apcera OS works by enforcing policies, the security feature that allows enterprises to apply business rules to workloads running in a cluster.

Reno, a former chief security architect at IT management software specialist CA Technologies, recently joined Apcera in an effort to beef up its container security efforts.

Apcera said its workload security approach includes: the ability to define and enforce security policies; control and secure workloads; orchestrate and scale workloads across hybrid clouds; and monitor specific Docker workload permissions while maintaining an audit trail.
The underlying "plumbing code" for Docker containers, a lightweight runtime called runC, also serves as one of the cornerstones of the Open Container Initiative. It was designed to allow Docker to interact with system features related to application containers. Proponents also note that runC was designed for security.

The runC runtime also aims to provide "support for platform specific features such as user namespaces on Linux for added security," according to recent progress report by the container initiative.

Meanwhile, Apcera said customizations features of its policy framework cover factors such as users, namespaces, workloads, clouds and services. In one use case, enforcement policies take into account that a specific Docker image may be allowed in a development environment, but prohibited in production. Hence, the staging process can be customized to weed out malware or other vulnerabilities, the company claimed.

Ultimately, container technology is about automating the process of distributing application across multiple platforms. But the push to "contain" sensitive business data in Docker and other containers trumps ease of use. That is why major backers of container technology like Goldman Sachs have pushed for a single, secure container standard.

With that in mind, Apcera CEO Derek Collison noted in a statement: "You can’t cut corners in security for the sake of automation. It’s essential that trust, policy and governance are the foundation of multi-cloud environments…."

About the author: George Leopold

George Leopold has written about science and technology for more than 30 years, focusing on electronics and aerospace technology. He previously served as executive editor of Electronic Engineering Times. Leopold is the author of "Calculated Risk: The Supersonic Life and Times of Gus Grissom" (Purdue University Press, 2016).

EnterpriseAI