UPDATED 00:34 EST / JULY 18 2016

NEWS

Gartner says container-based apps are “more secure”

Gartner Inc. is advising security-conscious organizations to switch to a container-based app delivery model, saying the technology is more secure than having apps running on a bare OS.

Writing in the Gartner Blog Network, analyst Jeorg Fritsch says that “Gartner asserts that applications deployed in containers are more secure than applications deployed on the bare OS”. He says this is the case because even if a container is somehow compromised, “they greatly limit the damage of a successful compromise because applications and users are isolated on a per-container basis so that they cannot compromise other containers or the host OS”.

Of course, Gartner admits containers are far from being tamper-proof. As Fristch acknowledges in his post, containers are burdened with “innate security properties that make them vulnerable to kernel privilege escalation attacks” which means they’re not necessarily “the right tool for high-risk-assurance isolation”.

Nonetheless, Fristch believes that organizations can take advantage of the benefits afforded by Linux containers if they follow a “container-first” approach and “deploy internet-exposed applications in Docker containers with best-practice security whether or not you do CI/CD/DevOps.”

Still, organizations need to understand that containers are not a magical security solution by themselves. Docker containers need to be done correctly to take advantage of the security benefits they offer, which means hardening the host Docker runs on, and taking advantage of third-party container security solutions from companies like Aqua Security, CloudPassage, Twistlock and Weave. It’s also necessary to master logical security zoning and network isolation, and also microservices routing so that the containers can talk to each other securely. Lastly, users will need to have a grip on kernel controls to make sure their containers have just the right level of access to the host’s kernel.

“In the Linux OS and in Linux containers, every system call is a direct interaction with the kernel,” Fritsch writes. He notes that this kernel is “the very same kernel that all segregation features depend on. System calls are a significant attack surface, where nothing must go wrong.”

In balance, Fritsch concludes that many organizations would be better off considering switching to containers, and not just because they’re fashionable.

Image credit: Ibelli via flickr.com

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU