Beruflich Dokumente
Kultur Dokumente
Advantages of Application
Containerization: Practitioner
Considerations
SECOND IN A WHITE PAPER SERIES FROM ISACA
ABSTRACT
Enterprises are rapidly adopting application containersand the reasons are clear.
Containers allow data centers to deploy business applications more rapidly, with reduced
development overhead, lower costs, more efficient use of resources and increased
business agility. However, potential risk areas also arise as a result of using containers
in certain scenarios. To make proper risk management decisions, practitioners must
evaluate business value and risk holistically, which includes understanding both the risk
and business value for application containerization. In the second installment in this white
paper series, we examine the issues for practitioners managing this innovation. In the
previous installment in this white paper series, we looked at the factors contributing
to the popularity of this innovation.
Like other technologies, a near-infinite array of potential contextspecific scenarios exist, where containers can potentially
impact business processes. Making a determination about
these scenarios, though, is business-specific. To evaluate the
potential risk/value trade-off for a situation, practitioners need to
understand their own business well enough to understand value
generation in a given situation. They also need to understand
their enterprise threat context well enough to understand the
potential threats that might arise.
BUSINESS IMPACT OF
CONTAINERIZATION
In many areas of business, enterprises are undergoing a
transformation as a result of container technology. The
adoption of containers is rapidly on the rise. For example, the
recent State of Containers and the Docker Ecosystem 2015
report from Ruxit and OReilly Media found that 93 percent of
respondents are already usingor plan to usecontainers for
development. Moreover, 53 percent of respondents plan to
adopt containers in production within the next year.
Business Value
1 Walsh, Daniel J.; Are Docker containers really secure?, 22 July 2014, https://opensource.com/business/14/7/docker-security-selinux
2 Ibid.
KERNEL EXPLOITS
Unlike in a VM, the kernel is shared among all containers and
the host, magnifying the importance of any vulnerability that is
present in the kernel. If a container causes a kernel panic, it will
take down the whole host. In VMs, the situation is much better:
an attacker would have to route an attack through both the VM
kernel and the hypervisor before being able to touch the host
kernel. For example, rootkits3 that operate at the kernel level
can pose a critical threat.
CONTAINER BREAKOUTS
An attacker who gains access to a container should not
be able to gain access to other containers or the host. It is
imperative that end users understand the security model of the
environment they are working within; they should, for example,
consider potential privilege escalation attacksfor example, a
bug in application code running with root privileges. For most
organizations, the software running within the container will be
code written by them; however, in a multitenant environment,
or in the situation where an organization is running software
not directly created by them, they should be alert to potential
attacks against the isolation features and plan accordingly.
PRACTITIONER
CONSIDERATIONS
For practitioners in the field, some by-discipline considerations
that are associated with the use of containers are important to
consider. This section outlines some of the considerations for
the security, assurance and governance disciplines.
Security
From a security point of view, the use of containers can be
a valuable tool in the practitioners toolbox and/or a potential
source of risk.
Potential positive security benefit can be associated with the
adoption of containers. There are a few ways in which this is
possible; notably:
Immutability of infrastructure
Application hardening
COMPROMISING SECRETS
When a container accesses a database or service, it will
likely require a secret, such as an API key or username and
password. An attacker who can get access to this secret
also has access to the service. This problem becomes more
acute in a microservice architecture in which containers
are constantly stopping and starting, as compared to an
architecture with small numbers of long-lived VMs.
MULTITENANCY ISSUES
Hosting multiple tenants on the same host creates data
confidentiality issues. The implementation of security
models, such as the Brewer and Nash model and the
Chinese Wall model,4 are more important in the context
of application containerization than in the context of the
application virtualization.
Note that the risk areas presented here are not an exhaustive
list. Like the value side of the risk/value trade-off, specific risk
considerations can and will vary according to enterprise usage,
threat model, business, industry and numerous other factors.
Therefore, it is imperative that enterprises understand the risk
dynamics for their particular organization and systematically
Streamlined patching
Automation of security controls
The first point, immutability points to the notion that the
production software that we field persists in a knownreliable state throughout its lifespan.5 Consider a
production environment in a traditional (non-containerized)
infrastructure; production support of that environment
might include numerous modifications: installation of
new packages, upgrading of packages, modification of
source or configuration files, etc. Over time, these one-off
tweaks, modifications, changes, manual steps, etc. can
lead to differences between nodes; these differences can,
in turn, lead to unexpected application behavior, including
security issues as well as other potential complexities. Use
of containers can facilitate instead an immutable server
approachthis is an approach that minimizes the manual
modification of the node and instead draws upon automated
techniques to rapidly rebuild and re-field an application
into production. This can minimize individual idiosyncrasies
between nodes and offer a more stable (over time) platform
upon which the application runs.
3 A rootkit is a software suite designed to aid an intruder in gaining unauthorized administrative access to a computer system.
4 For information about the Brewer and Nash model and the Chinese Wall model, see Kelley Sobel, Ann E.; Jim Alves-Foss, A Trace-Based Model of the Chinese Wall Security Policy, proceedings paper
from the 22nd National Information Systems Security Conference, October 18-21, 1999, National Institute of Standards and Technology (NIST) and National Computer Security Center of the National
Security Agency, http://csrc.nist.gov/nissc/1999/proceeding/papers/p9.pdf
5 Petazzoni, Immutable Infrastructure with Docker and Containers, GlueCon 2015, www.slideshare.net/jpetazzo/immutable-infrastructure-with-docker-and-containers-gluecon-2015
Assurance
For the auditor, containers can likewise affect their workflow
in potentially positive and negative ways. In terms of potential
positive benefit, there are two main areas to note:
Streamlined OS and configuration review
Supply chain analysis benefits
First and foremost, the reduction in footprint that is
associated with use of containers within the data center can
have a direct benefit in the amount of time and attention that
is required by auditors to sample and vet OS images. For
example, because the application is packaged and fielded
as a unit in a container situation, the requirement to ensure
that the OS on which the application runs may decrease
in scale and thereby complexity. Unlike OS virtualization,
there is no guest OS of which to systematically test the
hardening, configuration and maintenance. Auditors who
are seeking to ensure that their efforts are as useful and
practical to the enterprise as possible can potentially spend
less time focused on vetting the underlying OSs and more
time focused on activities that directly impact the application,
such as application configuration, the business logic that the
application implements and the processes that it supports.
With that potential advantage also comes a change in
the mechanics of how an auditor needs to approach the
environment so that his or her activities remain relevant. For
example, given the complexities in the isolation mechanisms
employed (outlined previously), an auditor may wish to
spend more time investigating privileged account use
within the container and how container configuration is
effected (including the processes that enforce appropriate
segmentation of duties). At a minimum, the auditor needs to
understand the containerization technology that is employed,
the isolation methodology by which it operates and any
constraints (particularly legacy constraints) that may impact the
appropriate operation of the model in the enterprise usage.
Secondly, the analysis of the supply chain for applications
can be simplified from an assurance standpoint. Consider
a deployment scenario for a traditional application. There
may be multiple internal groups such as build teams and
operations groups, third parties such as business partners
or vendors, and numerous other participants that might have
a hand in fielding a given application. From an auditor point
of view, this means numerous places in the delivery chain
that an auditor must evaluate to ensure that the end result
is reliable. Containers can help mitigate this. Specifically, it
is possible to watermark a container to detect tampering.
6 McCauley, Nathan, Your Software Is Safer In Docker Containers, Docker, 23 August 2016, https://blog.docker.com/2016/08/software-security-docker-containers
Governance
From a governance standpoint, it is important to recognize
that a shift from a non-containerized to a containerized
usage scenario can impact existing governance structures
and artifacts. Governance practitioners may wish to revisit
existing policy to ensure continued appropriateness in light of
a containerization effort. They may wish to examine the people
and their skill sets to ensure that they have the staff with the
right skills who are equipped to maximize value and minimize
risk. Governance practitioners may also want to ensure that
critical goalslike segregation of duties, asset management
and risk managementcontinue to operate appropriately in
light of the shift to containerization.
CONCLUSION
Containerization is an important and potentially gamechanging technology for developers and data centers that
deploys business applications more rapidly, with reduced
development overhead, lower costs, more efficient use of
resources and increased business agility. New and unique
business opportunities can be engendered by the strategic use
of containers.
Like most new technologies, application containerization
presents some challengesparticularly, emergent behaviors
at scale, possible new risk that is not present until containers
start moving into the production environment and threat
scenarios that are unique to the usage. Practitioners need
to consider potential assurance, security and governance
impacts along with the potential risk and value factors. To
make a holistic risk decision, practitioners must evaluate
these potential impactson the risk side and the value side
and make a determination for their environment based on
their enterprises set of requirements, the nuances of their
particular business, and in light of their enterprises usage.
The technology and management practices of application
containers will continue to mature over time in much the same
way that the VM space developed and maturated. Remaining
abreast of these changes and reevaluating decisions in
light of these changes will continue to be necessary for the
foreseeable future.
7 Docker, Securing The Enterprise Software Supply Chain Using Docker, Docker, 23 August 2016, https://blog.docker.com/2016/08/securing-enterprise-software-supply-chain-using-docker
CONTROL
Configuration
management
Vulnerability
assessment and
penetration testing
Application
security process
management
Application security
testing/scanning
PURPOSE
IMPLEMENTATION
ASSURANCE STEPS
Establish a known-good
configuration for containers and
relevant infrastructure. Leverage
technical measures to ensure that
this configuration is enforced.
Observe configuration
management system and
interview administrator
personnel to ensure technical
settings are appropriate
to ensure known-good
configuration.
Interview software
development staff and/or
review process documentation
for any in-house developed
software to ensure that
software is developed using
a robust process with a focus
on building security into the
process.
continued
CONTROL
PURPOSE
IMPLEMENTATION
ASSURANCE STEPS
Risk analysis
Security
awareness training
10
ISACA
Phone: +1.847.253.1545
ISACA (isaca.org) helps global professionals lead, adapt and assure trust in an evolving
Fax: +1.847.253.1443
Email: info@isaca.org
association of 140,000 professionals in 180 countries. ISACA also offers the Cybersecurity
Nexus (CSX), a holistic cybersecurity resource, and COBIT, a business framework to
Provide feedback:
www.isaca.org/containerization
Disclaimer
This is an educational resource and is not inclusive of all information that may be needed to assure a successful outcome.
Readers should apply their own professional judgment to their specific circumstances.
Reservation of Rights
2016 ISACA. All rights reserved.
11
ACKNOWLEDGMENTS
ISACA wishes to recognize:
Expert Reviewers
Board of Directors
Madhav Chablan
Christos K. Dimitriadis
Anuj Jain
Robert Clyde
Michael R. Lawrence
Nathan McCauley
Docker, USA
Sergiu Sechel
Dan Walsh
Theresa Grafenstine
Leonard Ong
Andre Pitkowski
Eddie Schwartz
Jo Stewart-Rattray
Tichaona Zororo
Zubin Chagpar
Jeff Spivey
Robert E Stroud
Tony Hayes
Greg Grocholski
Matt Loeb