The DevOps methodology gaining traction within many organisations is rapidly changing the way software is being developed and deployed. Yet, while it offers significant benefits, it's also creating some sizable challenges for IT security teams.
At its heart, DevOps represents an approach to software development which focuses on making and deploying small continuous improvements and feature additions. It represents an integration of development with operations, and requires tight coordination between the two formerly separate groups. This is replacing the more traditional waterfall development methodology, where development and operations operated separately and independently. The net result of DevOps is that small incremental changes are constantly being made, rather than the infrequent but huge changes that were seen in the past.
The role of container technology in DevOps
One of the enabling technologies supporting the DevOps methodology is containerisation. Containers are rapidly gaining favour in growing numbers of IT teams. According to Gartner, “by 2022 more than 20 percent of enterprise primary storage capacity will be deployed to support container workloads, up from less than one percent today.” [Gartner source: “Docker Containers Will Impact Enterprise Storage Infrastructure” by Julia Palmer and Arun Chandrasekaran, published Feb. 8 2017]
While similar in function to traditional virtual machines (VMs), containers offer some benefits that VMs cannot. One of the largest is their ability to densely populate servers with different applications at rates of 10 or even 100 times more than is possible for VMs. This means less hardware is required to run an equivalent workload, with the associated savings in CapEx, OpEx and energy.
Containers can also be run on virtually any type of computer, server or cloud platform, and can be shifted between different locations with ease. As a result, they are much more flexible and appealing to developers than traditional VMs. Containers house everything needed at runtime, from code and system tools to libraries.
Containers can also be spun up and closed down very rapidly. This aids elastic computing requirements as new instances can be created and discarded as needed. As a result, many containers exist for just mere hours before being discarded.
The security challenge
While they have a range of appealing characteristics, the rising usage of containers is also creating challenges for IT teams when it comes to security.
VMs are assessed using traditional vulnerability management technology. However, a container cannot be scanned using legacy methods since the software components leveraged by a traditional scanner may not be present within the container. An additional serious security risk arises when one considers the number of many pre-built container images that are available online from sources such as the Docker Hub. While it’s great to see developers take advantage of these pre-built images, the risks associated with container images due to vulnerabilities, poor configuration or malicious content are still widely unknown.
According to the Tenable 2017 Global Assurance Report Card, just 57 percent of responding IT security pros reported having confidence in their ability to properly assess security during the DevOps process. Furthermore, only 52 percent said they felt their organisations had a handle on how best to assess risks within container environments.
Traditional network and device-centric security and assessment models are not effective in an app-centric and containerised world, so new models must be considered. In addition to continuing to scan their organisation's IT infrastructure using traditional tools and approaches, IT teams must now also scan container images and web applications for vulnerabilities using different techniques.
To be effective, security needs to be integrated into the DevOps development cycle. Each container image must be tested for vulnerabilities and malicious content as it's built, before it's put into production, and continuously while it remains in production. This discipline must be tightly woven into the DevOps process from the beginning, and not implemented as an afterthought when it’s already too late.
As container usage shows no sign of slowing, security teams must act now to ensure their IT environment remains secure. The first step is to educate teams on the challenges posed by containers and why existing security approaches are insufficient. Having that level of visibility and awareness of the security implications is crucial for understanding how to safely benefit from container technology, and for helping organisations understand their true level of exposure and cyber risk.