Containers — virtualized applications that are key to DevOps — are maturing as critical parts of enterprise application infrastructures. And even though security strategies are maturing, organizations are still struggling to have security keep up with the other facets of container deployment.
A new report, sponsored by StackRox and based on research by AimPoint Group, shows that more than a third of companies haven't begun to implement a container security policy yet. While 15% say their company is in the planning stage with its container security strategy, 19% say that they haven't even gotten that far.
Part of the problem, says StackRox CEO Kamal Shah, is the complexity of the environment into which containers are being deployed. While many people look at containers as a technology for the cloud, Shah says, "We found that 70% are running containers on-prem and 53% are running in hybrid mode, which means running it on-premises as well as on one of the public cloud platforms."
Companies are turning to containers because the speed of deployment in containers is critical for organizations that are implementing agile or DevOps disciplines. And studies by other researchers show that some container practices, such as downloading and reusing popular pre-existing application images, don't insulate a company from security issues.
Jerry Gamblin, principal security engineer at Kenna Security, scanned the 1,000 most popular application images and found that over 60% of the top Docker files held a vulnerability with at least a moderate risk score, and over 20% of the files contained at least one vulnerability that would be considered high risk. [Note: A container is a virtualized application running on a system. An image is the file containing that application and its configuration files before it is launched.]
When looking at the source of vulnerabilities, the StackRox report says that poor deployment is the principal problem. According to the report, 60% of executives say that misconfigurations create the greatest security risks.
"The challenge in this new world is that there are a lot of options, a lot of controls that you have to configure, and there are a lot of configuration options," Shah says. "On top of that, what makes matters worse is that a lot of the controls that exist are not enabled by default."
Those controls are important because 43% of respondents say that runtime is the phase of the container life cycle that worries them the most. Though the report indicates that fixing issues is most cost-effective in building or deployment phases, the lack of a container security strategy hinders many companies in making those fixes.
Procedures and tools are available for better container security, if companies will employ them. Researchers at Alcide conducted surveys of best container practices and found that a handful of processes can make a huge difference in container security. Those best practices include familiar items like regular software updates and secure access, as well as container-specific practices, including namespace isolation (keeping containers completely separate from one another) and automated tools for scanning and setting container configurations.