A decade ago when cloud was the latest disruptive technology, IT departments found they needed to rewrite the book on security. The old way of doing things -- protecting the perimeter of the local network or data center with firewalls and other security precautions -- wasn't enough anymore. The data center and the LAN had expanded to include VMs, applications, and data sitting outside the firewall, on cloud servers owned and operated by the likes of Amazon Web Services, Microsoft Azure, or Google Cloud Platform.
These days, the advent of containers is bringing about yet another rewriting of security rules, because containers bring to the table more than convenience and portability, they also bring their own set of new and unique security issues. Even more container security problems are introduced as DevOps increasingly adopts continuous integration and continuous delivery (CI/CD), which often pushes containerized software into production before it's properly vetted.
"With the increased growth and adoption of containers, security practitioners are feeling the pressure to speed their deployment," said Tim Erlin, VP of product management and strategy at the cybersecurity company Tripwire. "To keep up with the demand, teams are accepting unnecessary risks by not securing containers."
He was writing in the company's recently issued report on its State of Container Security survey. According to the report, if 40 IT people were put in a room, on average two of them would raise their hands if asked, "Who isn't worried about container security at all?"
Those two would be headed toward a rude awakening. Sixty percent of the respondents in the survey said they'd experienced at least one container security incident in the last year, with 6 percent having experienced 26-100.
Tripwire's survey included responses from 311 IT security pros managing environments with containers. Some were working with containers, but not deploying them in production. Of those who were pushing containers into production, the majority were deploying 100 or fewer. A small percentage said they were deploying more than 1,000.
While not surprising, the results of the survey are cause for concern. Forty-six percent are putting container security solely in the hands of their IT security teams, with 12 percent handing the responsibility to DevSecOps. Only 22 percent give security responsibility to DevOps. This is disturbing, especially in a world where more companies are adopting rapid deployment practices, where software is containerized and pushed into production receiving little to no direct input from dedicated security staff.
"Security can and should be embedded into the DevOps life cycle, incorporating vulnerability and configuration assessment of container infrastructure to monitor risks from build to production," Erlin noted in the report.
IT departments seem to recognize the need to change their security models, however. Eighty-two percent said they had considered restructuring how they share security responsibilities. Of those, 21 percent indicated they had already reassigned security responsibility based on container adoption and 17 percent ticked the answer, "container adoption is one of the many changes that is making us re-think security."
The survey results seem to indicate that many IT departments are struggling to understand container security. In many cases, this is hindering container adoption, with 42 percent saying they're limiting container use due to perceived security risks.
Nearly a quarter said it would take them days to detect a container compromise. The good news is that nearly half thought they'd detect a compromise within hours, with 12 percent lowering the time down to minutes.
Most expect the rate of security-related incidents involving containers to increase in the coming year, with only 29 percent predicting either no change or a decrease in the number of containers hacked. When asked what they saw driving the increased risk, they cited the increased use of containers, especially in mission-critical systems, a belief that hackers attack new technologies when they're perceived as weak, and a lack of security best practices for containers.
Nearly everyone surveyed said they'd like to have additional security capabilities for container environments available to them. The wish list included incident detection and response, the ability to isolate containers that behave abnormally, security-focused monitoring (including the ability to monitor containers for drift or behavior changes), and artificial intelligence security analytics for containers.