Port to (Data) Port: What Linux containers can learn from shipping containers

The following is a contributed article by Josh Bressers, security strategist at Red Hat


The rise of Linux containers, those shiny, self-contained virtual boxes of application goodness, has brought to light one of the technology’s inherent challenges: It’s really, really hard to tell exactly what’s inside, let alone from where it came. Innovations around building and deploying containers have seemingly outpaced the IT industry’s capacity to secure, authenticate and verify container content, leading to development and operations teams desperately wanting to use container solutions, but security managers balking due to their “black box” nature.

The answer to this conundrum could come from an unlikely place: seaports, and more specifically, shipping containers. Much like Linux containers, shipping containers suffer from security and verification concerns, although instead of malware and vulnerabilities, it’s contraband, drugs, weapons and other unpleasantness that are the issues. The shipping industry has risen to meet these problems with innovative security scanners, trusted manifests and other techniques that can be mirrored, if not applied in whole, to the world of Linux container security. For both cargo and Linux containers, security isn’t someone else's problem, security is everyone’s problem.

So where do physical security and IT security intersect when it comes to containers?


It starts with trust

With both physical and IT security, the notion of “trust” forms the foundation of an effective strategy. In the shipping container world, the need for trust stems from the finite capacity to effectively examine cargo. This has led to frameworks for “chains of trust,” essentially an evaluation of a given shipper’s ability to secure the container lifecycle, from origin to delivery. For shippers that elect to certify that their facilities and cargo are safe (usually through an intense, upfront inspection process), their containers can typically be expedited through the security and scanning cycle.

Trust is also a critical aspect of digital container security. The most obvious counterpart to the chain of trust in the shipping world is digital signatures, which show that a container image has not been tampered with from creation to deployment. Keep in mind, though, that signing a Linux container doesn’t always equate with trust; there is not yet an easy way to prove/verify that the actual signer can be trusted, especially if they are outside of an organization.

While “trusted developer” programs have yet to mature, secure, certified Linux container registries exist today, offering validated and tested images for mission-critical deployment. However, it shouldn’t be a surprise to see more trusted programs develop, especially as the Linux container supply chain becomes more and more accessible to the mainstream enterprise, which will allow for faster consumption of containerized applications by the enterprise IT community.


Layers upon layers

In the physical world, shipping container security doesn’t just revolve around a fence or an X-ray machine; it’s about layering various security technologies, including access, scanning and intelligence, into a cohesive strategy. This approach is slowly developing in the world of Linux containers as well, although the proliferation and general ease of acquisition of containerized applications makes layering security a bit more daunting than in the physical world, but no less important.

This doesn’t mean that enterprises should not pursue layered security for Linux container deployments; it should simply be looked at as an evolving process to meet simultaneously changing needs. The emergence of deep container inspection (DCI) and other scanning technologies will help add to a growing set of Linux container security tools that includes Security Enhanced Linux (SELinux), automated content scanners like OpenSCAP and vulnerability repositories. Combining these disparate processes gives enterprise IT an inspection platform that could resemble its physical counterpart at seaports, capabilities-wise, but the integration is lagging behind demand for adoption and deployment.

In the meantime…


What’s your risk?

Going hand in hand with trust and layered security is the concept of risk, and it’s something that can be addressed without wholesale investments in new technology. In the physical container world, risk is a combination of what the cargo is, where it’s coming from and who’s transporting it. This same equation needs to be asked of enterprise IT when it comes to containers, starting with:

  • Why am I doing this and should I consider risk?
  • Where is this container coming from?
  • Who made this container?
  • What’s in the container?

The last piece is critically important for container adoption, but is lacking in the current ecosystem. Unlike their physical counterparts, establishing a true manifest of what’s inside containers is trickier than it sounds. While open source by default, Linux containers aren’t readily transparent, making a clear, verified code manifest a necessity to help enable secure operations, just as a manifest on a trusted shipping container helps vet its contents.

It shouldn’t be a surprise that physical containers are well ahead of their physical counterparts - after all, they have quite a head start. Many of the lessons learned are due to both failures and errors, and no secure systems happen without a long term commitment and constant vigilance. By mirroring some of the best practices of their shipping world counterparts, Linux containers may reach a similar ubiquitous nature in the data shipping lanes.


« Brazil: How cybercriminals may take advantage of a political crisis


Huawei Launch: #OO look, the new P9 »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?