关注微信公众号
第一手干货与资讯
加入官方微信群
获取免费技术支持
Each time a new software technology arrives on the scene, InfoSec teams can get a little anxious. And why shouldn’t they? Their job is to assess and mitigate risk – and new software introduces unknown variables that equate to additional risk for the enterprise. It’s a tough job to make judgments about new, evolving, and complex technologies; that these teams approach unknown, new technologies with skepticism should be appreciated. This article is an appeal to the InfoSec people of the world to be optimistic when it comes to containers, as containers come with some inherent security advantages: Immutability In a typical production environment, you have a number of things managing state on your servers. These include system imaging, configuration management (CM), and deployment tools. The end state of the system is very dynamic (particularly with CM tools), with libraries and packages determined based on various runtime variables. Here’s some examples of when this can be problematic:
This is where containers offer an extra benefit. Because of the immutable nature of a container image, I can know the state of my runtime before it’s deployed. This provides me with a single point to inspect and reason about the state of runtime, rather than constantly taking inventory of every runtime deployed in my system. It’s much easier to scan images once during the build process for known CVEs and other vulnerabilities, and to catch risks before deployed. Isolation With containers, the Linux kernel has been engineered to provide isolation between the containers on a host. It allows each process to have a different runtime than its neighbor. For InfoSec, this reduces the abilities of an attack vector to affect other parts of the system if an application is compromised. While this compartmentalization isn’t airtight, no security mechanism truly is. Easy adoption for developers and application teams And finally another reason this should appeal to InfoSec is that you can get all the above benefits much more easily than security-only tools because of the shared advantages to developers and application teams. No security group operates in a vacuum and even the most security minded org needs to balance control with productivity. But when your solution satisfies both, you have very little resistance toadoption and justifying the resources required. As much as this sounds like a paradox that shouldn’t exist, you can to some degree have both increased agility and security with containers. Conclusion I hope that these points have encouraged you to further explore and see for yourself how containers can benefit security in your organization, if only to start an internal conversation on using them in production. As always, the Rancher team is here to help along with your container journey – reach out to us on Twitter @Rancher_Labs
William Jimenez is a Solutions Architect at Rancher Labs.