Red Hat: Communicate more to secure containers

Containers are changing the way organisations run IT today by offering an all-in-one approach to managing software with libraries, runtimes, code and tools all in one handy envelope, independent of hardware or software environment. But after a honeymoon period of rapid adoption that saw companies like Docker rise to prominence, more questions are being asked.

We swapped emails with Red Hat security strategist Josh Bressers on the subject.


Containers are seen as a hot technology. Why do you think uptake has been so sharp?
Containers solve real problems. I think anytime you see a new technology take off this quickly it's because it solves real problems in ways that make a significant difference in the lives of the developers, administrators, and users. The technology and idea behind containers isn't new, but with the emergence of DevOps and cloud it created an environment where container technology could give immediate returns.

You’ve pointed to a fairly scary number of vulnerabilities in containers. Why and how are those vulnerabilities occurring?
All software has bugs; some of those bugs are security issues. It's not that there are more security issues than ever, it's that we're finding them more quickly. Open source plays a significant part in this story. With open source software, which is now used in nearly every piece of software created, the bugs are very public and by definition can't be hidden. This means that security issues found in open source software are very public. I think this creates a perception gap that things are worse than ever when in reality this has always been the case.

These challenges apply to all software from IoT devices to major cloud deployments. Good security is timeless, as new technologies come and go we have to understand how to apply good security practices to everything we do.

If one of the main thrusts of the problem is containers needing root access does that make fixing the problem that much harder? Is there a workaround?
There are a number of technologies that exist today as well as new things coming. Regardless of technology though, the correct solution here is to build containers that do not require root. As I said before, good security is timeless, so rather than viewing containers as part of the problem or solution, they should be viewed as one of the many layers in a good security story. Security isn't one technology or one tool, it's many layers of technology and processes. Everything from what you put in the container, to how you build it, to how you run and update it are part of a much larger security story.

There is no shortage of container security tools so why does the gaping issue still exist?
There isn't a single tool that can solve all our problems. Container security is about the whole stack being part of the security story. This is one of the advantages Red Hat has, we are one of the only organizations that not only understands the low levels of the stack, we have substantial expertise around the higher levels as well as understanding the long term support and maintainability of a product.

There's clearly an appetite for containers so are you telling users to hold off? What should they do as best practice?
We certainly aren't; Red Hat has embraced containers wholeheartedly. We support them in Red Hat Enterprise Linux, we are involved in the Kubernetes project, and our OpenShift product uses containers as its primary delivery vehicle. Red Hat understands containers aren't the future, they are the present.

As for best practices, the single most important thing users need to understand is the content of their containers. Top considerations should be:

1) Where did this container come from? Was it a public registry where we can't easily understand who built it and how? Was it cryptographically signed by a trusted entity?

2) What is in this container? Does it contain content with known security issues? Can we trace the content back to a reputable supplier? Can we trace the content at all?

3) How do I update this container? Will it ever get updates? If there is a serious security issue with something in the container who will help me?

I've done some writing on this topic in the past here.

Essentially, find someone you can trust to work with on container content and security. When containers emerged everyone thought the operating system was dead. It turns out what's in those containers is more important than ever. Keeping those containers properly patched and tracked is not a trivial task.

Do SSL and VPNs have a role to play here?
I would group these technologies into the general "good security" category. Containers don't mean you can ignore these technologies, nor are they magic solutions to problems. They must be part of an overall security story.

Is the issue with container security just another example of the dev techies jumping ahead without getting infosec on board?
I think this question sums up some of our problems in the security industry. There is often a view that development and infosec aren't on the same team, when in reality everyone's goal is for the business to succeed at the end of the day. I don't think this is a technology problem, a dev problem, or even an infosec problem. This is a communication problem. If all groups aren't working together and properly communicating, nothing gets done. If the security team only ever says "no", they will be ignored. The more development and infosec collaborate on container security the better it will be. One of our next great challenges around security in general won't be technology, it's developing the soft skills needed for this new, more agile, containerized world.



Also read:

Port to (Data) Port: What Linux containers can learn from shipping containers


« Typical 24: Axel Pawlik, RIPE NCC


Druva sees starring role among backup clouds »
Martin Veitch

Martin Veitch is Contributing Editor for IDG Connect

  • twt
  • twt
  • Mail


Do you think your smartphone is making you a workaholic?