10 Oct Micro Services, Containers and Serverless PaaS Web Apps? How safe are you? – AISA 2018 presentation
As containers continue their march into the IT mainstream, like most new technologies, they hold great prospects for improvements in efficiency, scalability and security. However, poor implementation practice generally lets the organisation down, and container technology is no different.
Containers, by name, have the primary objective of keeping things (processes) contained. And while the innate nature of the container (smaller footprint, lightweight, discrete services etc.)should by default deliver a more isolation centric compute environment, the lack of attention to detail in the service delivery lifecycle (SDL) can result in an insecure implementation where the containers do not deliver isolation. This creates an opportunity for an attacker to exploit the weakness, traverse the environment and ultimately perform a high impact attack (think data breach and hacker persistence in the DevOps chain).
Containers are designed to virtualise a single application, hence the speed. You can run multiple containerised apps on a single common OS kernel. For containers, the entire “boot” process that a normal virtual machine goes through is essentially skipped and only the last steps where the root filesystem is loaded, and a shell is launched happens. More precisely, the container environment is “started rather than booted”.
While containerisation focuses on abstraction of the app from the OS (generally a lower layer of abstraction), modern app development itself has tended towards higher levels of abstraction. Given the speed at which apps need to be delivered, developers leverage frameworks and development environments that offer a higher level of abstraction, making it easier to develop without coding to cater for the lower levels of the stack (the framework takes care of that).
Containerisation is on the rise and many decision makers are starting to implement it within their organisation. For more information, see our COO Murray Goldschmidt’s presentation from the AISA National Conference on Container Security.