Containers allow applications to be abstracted from the underlying infrastructure on which they run. They give developers a way to package applications into smaller chunks that can run on different servers, thereby making them easier to deploy, maintain, and update.
But securing containerized applications requires a somewhat different approach compared with securing traditional application environments. That's because they are a bit harder to scan for security vulnerabilities, the images on which they are built are often unverified, and standardization in the space is still evolving. Importantly, containers also can be spun up and down quickly, making them somewhat ephemeral in nature from a security standpoint.
"Even though container technology may be a new concept to companies deploying them, the idea behind them should be familiar," says Kirsten Newcomer, senior principal product manager, security at Red Hat.
Organizations need to think about security through the application stack both before deploying a container and throughout its life cycle. "While containers inherit many of the security features of Linux, there are some specific issues that need to be considered when it comes to the model," Newcomer says.
Following are eight items that need to be on any organization's security checklist when deploying containers.