Contain your Containers: The art of container security

October 25, 2016

Contain your Containers: The art of container security

The other day, instead of going out for lunch, I attended a presentation on securing containers. Containers? Containers are a new grouping mechanism as part of the software development process.

When I was learned how to program in college in the 1980's, programming was all about memory and CPU cycles. Programs executed on a mainframe and security issues were handled by the operating system. The goal for the programmer was to write code that used as little memory as possible, could be compiled into as few machine instructions as possible, and could be easily understood by other programmers who may need to maintain or enhance the code.
In the 1990's, along came the PC — the personal computer. Unlike a mainframe that was a shared resource, computer programs were running on a device that was just for one person — like a toothbrush. The programmer's job became even more challenging in terms of memory usage (Does anyone even remember 640K?) and CPU utilization in that the first PCs had limited capacity as compared to their mainframe predecessors.
Now programmers write code for cloud-based services. These programs run on servers that handle millions of requests for millions of users. The job still involves writing readable code that can be understood by colleagues and executed efficiently, but it also involves coming up with software architectures suited to the task. It's like defining your own personal computer specific to each application. This is where containers come in.

Divyashree Joshi is an Information Security Engineer who specializes in security forensics. Omkar Nimbalkar is an Information Security Engineer who focuses on cloud security. Their lunchtime presentation was entitled "Contain your Containers: The Art of Container Security." Here are some nuggets that I took away from the presentation.

The physical container that we all know and love is an object that can be used to hold or transport something. There are small ones, e.g., Tupperware, and large ones, e.g., shipping containers. For the purposes of software development, a container is a set of processes running on top of a common kernel. The common kernel is often the operating system (e.g., Linux, Windows) that came with the computer.
When setting up their software architectures, developers have to decide between virtual machines and containers. A virtual machine is an application environment that imitates dedicated hardware. The application runs on a virtual machine as it would on dedicated hardware. The beauty of virtual machines is that, unlike The Highlander^*, there can be more than one of them on the same physical computer.

So when having to decide, a programmer considers:

Virtual Machines	Containers
includes the application	comprises just the application and its dependencies
necessary binaries and libraries	sharing the kernel with other containers
entire guest operating system	more portable and efficient
heavyweight	lightweight
stronger isolation	weaker isolation

So the trick is to get the efficiency (lightweight) but maintain the security (stronger isolation).

When developing code, to get the security typically offered by virtual machines and the efficiency offered by containers, our developers:
- Applications
  - Limit system calls to only those that are absolutely necessary.
  - Run strong kernels that include security provisions.
  - Update kernels often to make sure the latest security patches are in place.
  - Use namespaces to ensure that applications only access information that is within their intended scope.
- System Services
  - Avoid running code as the "root" system user.
  - Isolate sensitive services so that they are consistently protected.
  - Put controls in place to prevent unauthorized access.
- Kernel
  - Run code with absolute privileges — specifically exactly what is needed for the job and no more.
  - Give each container its own kernel and hardware.

There were many programmers in attendance. Sharing best practices is one way we continue to ensure that our cloud offerings maintain the security that our customers expect.

Containers are alive in the lab.

Posted by Scott Sheppard at 04:00 AM in People | Permalink

Tags: #AutodeskLabs, Autodesk Labs

Comments

The other day, instead of going out for lunch, I attended a presentation on securing containers. Containers? Containers are a new grouping mechanism as part of the software development process.

When I was learned how to program in college in the 1980's, programming was all about memory and CPU cycles. Programs executed on a mainframe and security issues were handled by the operating system. The goal for the programmer was to write code that used as little memory as possible, could be compiled into as few machine instructions as possible, and could be easily understood by other programmers who may need to maintain or enhance the code.
In the 1990's, along came the PC — the personal computer. Unlike a mainframe that was a shared resource, computer programs were running on a device that was just for one person — like a toothbrush. The programmer's job became even more challenging in terms of memory usage (Does anyone even remember 640K?) and CPU utilization in that the first PCs had limited capacity as compared to their mainframe predecessors.
Now programmers write code for cloud-based services. These programs run on servers that handle millions of requests for millions of users. The job still involves writing readable code that can be understood by colleagues and executed efficiently, but it also involves coming up with software architectures suited to the task. It's like defining your own personal computer specific to each application. This is where containers come in.

The physical container that we all know and love is an object that can be used to hold or transport something. There are small ones, e.g., Tupperware, and large ones, e.g., shipping containers. For the purposes of software development, a container is a set of processes running on top of a common kernel. The common kernel is often the operating system (e.g., Linux, Windows) that came with the computer.
When setting up their software architectures, developers have to decide between virtual machines and containers. A virtual machine is an application environment that imitates dedicated hardware. The application runs on a virtual machine as it would on dedicated hardware. The beauty of virtual machines is that, unlike The Highlander^*, there can be more than one of them on the same physical computer.

So when having to decide, a programmer considers:

Virtual Machines	Containers
includes the application	comprises just the application and its dependencies
necessary binaries and libraries	sharing the kernel with other containers
entire guest operating system	more portable and efficient
heavyweight	lightweight
stronger isolation	weaker isolation

So the trick is to get the efficiency (lightweight) but maintain the security (stronger isolation).

When developing code, to get the security typically offered by virtual machines and the efficiency offered by containers, our developers:
- Applications
  - Limit system calls to only those that are absolutely necessary.
  - Run strong kernels that include security provisions.
  - Update kernels often to make sure the latest security patches are in place.
  - Use namespaces to ensure that applications only access information that is within their intended scope.
- System Services
  - Avoid running code as the "root" system user.
  - Isolate sensitive services so that they are consistently protected.
  - Put controls in place to prevent unauthorized access.
- Kernel
  - Run code with absolute privileges — specifically exactly what is needed for the job and no more.
  - Give each container its own kernel and hardware.

There were many programmers in attendance. Sharing best practices is one way we continue to ensure that our cloud offerings maintain the security that our customers expect.

Containers are alive in the lab.