Containers are revolutionizing the way that organizations deploy applications. These technologies are packages, notes Amazon Web Services (AWS), that enable teams to run applications and their code, configurations and dependencies in resource-isolated processes.

As such, they allow for reduced environmental dependencies, support for micro-services and horizontal scalability, among other advantages. Containers help solve some of the most common problems surrounding software development.

But these benefits come at a cost. Organizations don’t have much transparency into containers, for most of these software pieces are available only as part of packaged services. This level of opacity limits the enterprises’ audit-based capabilities and potentially exposes enterprises to additional risk from digital threats.

Adrian Lane, analyst and CTO at Securosis, says it’s therefore no wonder that infosec personnel are concerned about containers and their security:

“Containers scare the hell out of security pros because they are so opaque. The burden of securing containers falls across Development, Operations, and Security teams—but none of these groups always knows how to tackle their issues. Security and development teams may not even be fully aware of the security problems they face, as security is typically ignorant of the tools and technologies developers use, and developers don’t always know what risks to look for.”

To address those worries, organizations must take the security of their containers seriously. That means security teams can’t just stop at the containers themselves. They must extend security measures to the build, deployment and runtime environments, as well.

All of this is necessary given the ongoing evolution of DevOps systems. In the last few years alone, organizations have begun turning primarily to systems in order to deploy and manage apps at scale. This tendency, in turn, has made the security of the orchestration manager a primary security concern.

At the same time, more and (Read more...)