Containerisation is now an additional tool in the security arsenal which may enhance the protection of many applications and sensitive data.
Containerisation and virtualisation both entail the encapsulation of an application in its own operating system environment. However, whereas containerisation shares the operating system with its host, a virtual environment incorporates its own operating system. Containerisation is a form of fast, light-weight virtualisation (smaller file size, consumes less resources, and faster provision). This is the reason why containerisation is sometimes referred to as operating system virtualisation. Both containerisation and virtualisation share the host’s kernel components which opens vulnerabilities.
Applications running within a container require all resources needed to be inside the container (dependencies, libraries, configuration files, and all other related files). There are different ways of creating containers, all requiring varying degrees of complexity to be provisioned. Utilising the Windows operating system to provision a new user or new desktop, are low-overhead, easily provisioned methods. Docker containers were originally developed for Linux, and there are now Windows versions as well. Docker containers share the host operating system. Windows Defender Application Guard creates single-purpose containers for running untrusted websites, isolating potential threats from the website from other applications and the rest of the operating system. The method chosen for creating the container should be appropriate to the situation.
An application running inside a container has no access to applications or environment settings outside the container (i.e. both those on the host operating system as well as those in another container), and likewise, applications outside the container cannot access applications inside. This provides two-way security benefits as applications within a container have a degree of isolation from malicious applications residing on the host or in other containers, and any malicious code inside the container is isolated from outside. Security benefits of containers include:
- Containers enable control over the environment in which an application executes. A newly-created container is clean of any malware, and the environment can be established in the most secure manner. This narrows the attack vector – only the minimum services can be included in the container.
- Container environments are consistent, predictable and replicable. Security vulnerabilities can be defined and restricted.
- The container exists for the required time only, and is destroyed when no longer required, with leave-no-trace. When the container is destroyed, all applications within it cease execution.
- Environmental parity of containerisation enables laboratory testing to be extended to real-world situations with higher levels of confidence.
However, containerisation security can potentially be compromised. It is very important that applications involving sensitive data within a container are bolstered with additional security measures to those built into the container itself. Without additional security measures, containers can be vulnerable to:
- Malicious applications which are able to gain permissions to execute inside the container.
- Malicious applications which can gain access to applications and/or data within the container through the kernel (Kernel-level key loggers or screen capture for example).
Docker containers may have additional security threats such as allowing network traffic between containers by default, as well as enabling attackers who have gained access to one container to get access to other containers on the same host.
It is most important that containerised applications processing sensitive data should mitigate against security threats inherent in containerisation by utilising specific techniques to at least prevent malicious applications running within the container, as well as guarding against kernel level attacks on data such as key logging.