Containerization mitigates cybersecurity risks at your startup, like attacks and vulnerabilities, that remain even after implementing several security measures. For example, it limits the impact of command injection and post-exploitation attacks, such as privilege escalation or persistence. It also allows any software to run in a restrictive sandboxed environment, which isolates and executes untested or untrusted programs without risking harm to the host machine or operating system. Although containerization requires high technical abilities to implement, it can strengthen cybersecurity for startups.
Let’s explore what containerization can do for your startup and its security benefits. But first, let’s take a look at what containerization is.
!This is the tenth out of eleven articles describing security recommendations for startups. The last one explains the difference between ethical hackers and cyber criminals as well as the benefits of penetration tests.
What is containerization?
Containerization packages the software code of an operating system (OS) and its necessary components like libraries and dependencies required to run the code in an isolated environment called a “container.” A container is a lightweight executable that can run consistently on an infrastructure. Think of it as a freight container. You can pack it with as many goods as necessary (libraries and dependencies) that only belong to one specific vendor (operating system) and send the freight container anywhere you want (infrastructure). In the computer world, containerization has many benefits because containers are more portable and resource-efficient than virtual machines (VMs) while providing security within an isolated environment. Service containerization allows developers to create and deploy applications more quickly and lets them utilize orchestration tools. Thus, containers have become the de facto compute units of modern cloud-native applications.
Security benefits of containers
Container adoption enables startups to unlock code pipeline efficiency, allow more resilient and agile applications, and create a scalable environment. Above all, they add more security by reducing vulnerabilities across multi-cloud environments, and allowing the DevOps team to shift left to DevSecOps.
Here are four ways secure containerization benefits cybersecurity for startups.
- Shift Left to DevSecOps: Gives your startup a pathway to create a secure code pipeline for continuous integration and delivery of container images. Without a secure code pipeline, the DevOps team can rapidly scale or modify container images that may have potential container security risks. However, Shifting Left means discovering vulnerabilities earlier in the development process. This means that remediation actions are faster and cheaper on the earlier stage than on the later stage. This also prevents scaling vulnerabilities across multi-cloud environments. This aids security in your startup’s infrastructure because the DevSecOps team can adopt secure containerization and orchestration, allowing them to stay proactive in resolving security risks throughout the code pipeline.
- Application resilience: Provides cyber resilience and aids business continuity in the event of a failure. Secure containerization helps startups achieve the least disruption possible during an attack since a single failure will have minimal impact on performance of applications. DevOps can immediately roll back specific insecure containers from production if they detect security risks without interrupting operations.
- Responsive security: Facilitates agile security and removes interdependencies between applications that lead to long-standing vulnerabilities. Isolated containers are updated quickly without impacting other microservices in an application, which is beneficial when 60% of data breaches were due to outdated security patches, according to a 2019 survey by Ponemon Institute. Therefore, orchestration and automation can facilitate agile container security and visibility throughout the application life cycle.
- Impose PID limits: Containerization allows tight process identified (PID) controls, which prevents malicious activities. For example, each process in the kernel carries a unique PID, and containers leverage Linux PID namespace to provide a separate view of the PID hierarchy for each container. Putting limits on PIDS restricts the number of processes running in each container, which prevents excessive spawning of new processes and potential malicious lateral movement. Furthermore, imposing PID limits prevents fork bombs and anomalous processes. It also mitigates malicious activities, such as reverse shells and remote code injection – or anything that requires spawning a new process.
Technologies that support containerization
Containers are a great choice for startups that want to quickly scale their environment, build more resilient and agile applications, and have a secure code pipeline.
Below are the top 25 container technologies and tools under their respective categories for consideration per Tech Beacon.
- Docker: The first and most popular container technology. Its open-source containerization engine works with many products and open-source tools.
- Docker Enterprise: This set of extensions adds features to Docker, and makes it possible for Docker to add commercial support. If your startup needs a support matrix to know which versions of what software are supported, Docker Enterprise might be for you.
- CRI-O: An incredibly lightweight, open-source reference implementation.
- rktlet: Has a set of supported tools and community to rival Docker.
- containerd: A project of the Cloud Native Computing Foundation. It has a CRI plugin that lets Kubernetes run containerd the same way it runs rktlet or CRI-O.
- Microsoft Containers: An alternative to Linux that supports Windows containers under specific circumstances. They generally run in a true VM and not in a cluster manager like Kubernetes.
Cluster management and deployment
- Kubernetes: It is an open-source cluster manager originally developed by Google that is the most popular for cluster management. Supported by Amazon’s AWS, Google’s Cloud Engine (GCE) and Microsoft’s Azure Container service, Kubernetes is relatively portable, which helps prevent vendor lock-in. It can also run on a private cloud like OpenStack.
- Istio and Envoy: Open-source service mesh technologies that add a layer to provide security and observability. They can encrypt traffic inside of the cluster while observing it. Developed by Lyft, Envoy was the first service mesh for Kubernetes. Istio includes Envoy, sits on top of it, and adds several plugins, dashboards, and other features to extend it.
- Apache Mesos: A tool for abstracting computing resources that can run both Docker and rkt images side by side in the same cluster.
- Docker Swarm: Docker’s free product for cluster management. It runs from the command line and does not support auto-scaling or load balancing natively. However, third-party extensions provide this functionality.
- Docker Datacenter: Designed as a drop-in replacement that lets you containerize your entire data center and includes commercial support. The tool has LDAP integration and a web-based dashboard with control panel, registry, monitoring, logging, and continuous integration. It adds the load balancing and scaling that Swarm is missing, and works with Docker Enterprise.
- BlockBridge: The “elastic storage platform” company that offers storage as a container using Docker, with support for Kubernetes, OpenStack, and software-defined secure storage.
- EMC / libstorage: This system offers a code library to provide container storage which is free and open.
- Twistlock: Its vulnerability scanner addresses security risks on unpatched or outdated software on a container image by comparing images against a database of known threats. This is an automated audit against a database that’s constantly updated. Other core features include more classic intrusion detection, and regulatory compliance systems.
- Aqua Container Security: Focuses on the ability to create, monitor, and enforce policy for containers, along with integration with continuous integration (CI), running security checks on every build.
- StackRox: Co-founded by Sameer Bhalotra, a former security executive at Google and senior director for cybersecurity in the Executive Office of the President of the United States, StackRox provides Kubernetes cluster discovery. The software examines an entire cluster, comparing how the running containers behave compared to a company’s security policies. StackRox allows those policies to be documented and evaluated automatically in code.
- Aporeto: Encrypts every workload between containers, providing authentication and authorization. Aporeto also allows you to define security policies programmatically and enforces them.
- Alpine Linux: If you create a Docker image and do not specify an operating system, you’ll be using Alpine Linux. A great number of sample and test Docker containers use it.
- RancherOS: Containing only the Linux kernel and Docker itself, the system image fits into just 22MB of disk space. RancherOS eliminates systemd, the service management system built into most versions of Linux, instead starting the Docker Daemon itself as the init, or bootstrap, system.
- CoreOS Container Linux: Designed to work with CoreOS Linux tools and systems, and is preconfigured to run Linux containers.
- Ubuntu Core: A small, secure release designed for Internet of Things (IoT) devices and containers. It is designed to have high performance, a small footprint, and transactional updates, ensuring that updates that fail roll back successfully. You can also purchase support from Canonical.
- Red Hat Atomic Host: Startups that run Red Hat Enterprise and want to use containers will want to have their hosts run the Red Hat Atomic Host operating system. These tools will let you host Linux containers in a minimal version of Red Hat Enterprise Linux.
- Microsoft Nano Server: A small, remotely administered, command-line OS based on Windows Server 2016. It is designed to run solely as a container and brings native container capability to Windows Server. Windows Pro 10 Enterprise is another Microsoft operating system that can host Windows containers.
- VMware Photon: Weighing in at 220MB on disk, Photon is a larger container operating system than some others, even though it’s about one-hundredth the size of the latest version of Windows. This Linux container host is designed to integrate with VMware’s vSphere virtualization products.
Virtual machines (VMs) vs. containers
A virtual machine (VM) (also known as a virtual server, virtual server instances, and virtual private server) is an emulation or virtualization of a physical computer system that functions as a virtual computer with its own CPU, memory, network interface, and storage created on a physical hardware system (located off or on-premises).
VMs enable teams to run what appear to be multiple machines, with multiple operating systems, on a single computer device. VMs interact with physical computers by using lightweight software layers called hypervisors. A hypervisor is a small layer that enables multiple operating systems to run alongside each other, sharing the same physical computing resources. Hypervisors can separate VMs from one another and allocate processors, memory, and storage among them.
A container is a standard unit of software that packages together everything needed to run a single application or microservice, including all of the libraries and dependencies required. As a result, applications or microservices can run quickly and reliably from one computing environment to another. Containers also do not use a hypervisor unlike a VM, allowing them to provide faster resource provisioning and speedier availability of new applications.
Containers are a lighter-weight, more agile way of handling virtualization.
They enable applications to run almost anywhere — a desktop computer, a traditional IT infrastructure or the cloud, and they use a form of operating system (OS) virtualization. In short, they leverage features of the host OS to isolate processes, and control the processes’ access to CPUs, memory and desk space.
Containerization and virtualization are similar because they both allow complete isolation of applications so that they can be operational in multiple environments. The main differences between them are their size and portability.
VMs are larger than containers, usually measured by the gigabyte, and contain their own OS allowing them to perform multiple resource-intensive functions simultaneously. The increased resources available to VMs gives them room to abstract, split, duplicate, and emulate entire servers, operating systems, desktops, databases, and networks.
Containers are much smaller, typically measured by the megabyte. They do not package anything larger than an application and its running environment. VMs work well with traditional, monolithic IT architecture or as separate purpose-specific workstations. Containers, on the other hand, are compatible with newer and emerging technology like clouds, CI/CD, and DevOps/DevSecOps. They also provide flexibility and portability that is perfect for multi-cloud environments.
Container security concerns
There are a few security threats that can impact containers and are concerning. One of the biggest security concerns is that containerization lacks isolation from the host operating system (OS). That means if a vulnerability within the host kernel/OS is present, it can potentially impact all containers.
There are additional container security threats that include:
- Container malware: Malware can sneak into containers at multiple stages of the container lifecycle and get deployed within a container. First, a malicious attacker who compromises your CI/CD environment can insert malware into the source code repositories used for building container images. Second, malicious attackers can breach your container registry and replace container images with images that contain malware. Third, users can get tricked into downloading container images containing malware from external sources without realizing it. Consequently, malware that isn’t detected in a container before it launches will enter your runtime environment, leading to a number of security issues, such as collecting sensitive data from an application or disrupting other containers.
- Insecure container privileges: When containers are allowed to run with more privileges than they should (i.e., they should run in unprivileged mode instead), security risks can result. That is because containers running in privileged mode have access to any resource outside the containerized environment they directly control when they are not supposed to. Communications between containers should be restricted, unless the containers have a reason to communicate with each other. Insecure privileges are usually due to poor configurations with the container orchestrator.
- Containers with sensitive data: Containers are not supposed to store sensitive data. However, mistakes happen, and sometimes a startup or organization can mistakenly store sensitive data inside container images. For example, Vine’s entire source code was exposed when someone discovered a container registry that Vine thought was private. It turned out to be publicly accessible, and to Vine’s horror, they were hosting images that contained the source code.
Secure containerization allows startups to rapidly build applications and securely scale across multi-cloud environments and mitigates security risks to your startup from the beginning of the software development lifecycle. It also provides cyber resilience and aids business continuity in the event of a failure. Security risks that secure containerization prevents are attacks, such as malicious code injection, reverse shells, and other malicious processes, including vulnerabilities that can be present in container images by shifting left within DevSecOps processes and securing the code pipeline. Containers are more lightweight than VMs, and are agile, portable, and cost-effective, which is great for startups. There are many container technologies and tools available that startups can begin to utilize to implement secure containerization in their environment. In summary, secure containers are an effective way for startups to build and scale their applications quickly and securely.
!This article is part of the series dedicated to the cybersecurity of startups. From the next one, you will find out what is a canary token and how to use it to boost your organization’s security.
Let’s talk about securing your startup
Book a chat with a cybersecurity expert
Is this article helpful to you? Share it with your friends.