Focus on cybersecurity: Despite growth in popularity, are web containers secure?

RENO, Nev. — As cloud-based systems such as Amazon WorkSpaces become more prevalent for companies, so too has the use of a technology called “containers” to help deploy those systems.

Through containers, web developers are able to package their software, configurations and dependencies into a single portable file. Containers were invented to help simplify application development, testing and deployment, while also making the process happen more quickly and reliably.

The growth in their use is becoming more rapid. To give an idea in numbers, more than a billion containers were deployed worldwide in 2016, according to Docker, a web development company that has been pushing the container movement since 2013.

But while containers appear to be the new wave of the future in web development, there still are concerns over their reliability against cybersecurity threats. But while not fail-safe, experts contend that containers have come a long way in terms of security.

Containers versus virtual machines

Jake Warner founded and serves as the CEO of “Cycle,” a Reno-based startup that relocated from Ohio in 2017. Cycle is a container orchestration platform that focuses on simplifying container hosting and web infrastructure for businesses.

Warner said containers have made strides in becoming much more secure, if managed properly. They have become an alternative to the virtual machine — which is a computer within a computer, essentially, that functions to execute an entire operating system, including software and hardware applications.

“Virtual machines are similar to building a house but only installing locks on the door after completion,” Warner said in an email to the NNBW. “In that same analogy, containers would have those locks installed as the house is built.”

Warner said that while virtual machines must be secured after they’re deployed, containers typically follow the “principle of least privilege” (PoLP).

Instead of being told what they’re not allowed to access, a developer has to specifically tell each container what privileges each has. If a developer forgets to assign a privilege to a container, the worst-case scenario is that the container is actually more secure, Warner said.

Just last February, Cycle (the website of which is cycle.io) relaunched its platform, which enables businesses to deploy private clouds on a physical infrastructure.

From a cybersecurity perspective, private clouds are known to be far safer than traditional public clouds, considering businesses have full control of the applications that exist on their cloud. In Cycle’s case, its customers are able to have physical separation between their applications and the rest of the internet.

“With containers, think in terms of an apartment building. With a public cloud, you only can control what happens in your specific apartment,” Warner said. “Don’t like the neighbors? You can’t really do much about it. With a private cloud, you own the apartment building and can remove tenants whenever you like.”

Vulnerabilities still exist

Since Cycle’s relaunch two months ago, combined with the general increase in container usage among software developers, business has spiked, Warner said. The company has contracted more business in the last two months than it did in the prior 14 months combined.

Still, while containers can help mitigate most cybersecurity threats, they’re not completely immune. For example, in January, two security vulnerabilities were found in a majority of Intel’s CPU designs.

These vulnerabilities, named Meltdown and Spectre, exist within the physical CPU designs — meaning they affect Linux, Windows and MacOS, as well as other operating systems.

Although containers help prevent one application from improperly interacting with another, these vulnerabilities were so extreme that containerized applications still were susceptible to attack.

“Meltdown and Spectre really helped show why we’re beginning to see a resurgence of bare-metal private clouds” Warner said. “Businesses who have been investing heavily in moving to public clouds are now rethinking their strategies as the risks might not be worth the cost savings.

“With bare-metal private clouds, as opposed to virtual private clouds (VPCs), businesses not only get full control of the workloads that exist on their cloud but have physical separation between their data and the rest of the world — helping mitigate vulnerabilities that haven’t even yet been discovered.”