INDUSTRY WATCH
Here, it is first defined which users –
depending on their role – may carry out
which activities involving a container.
Secondly, the actions that a container
may perform must be specified. The
spectrum ranges in this respect from
full isolation through to root rights,
where a container is given access to
other containers and to the server
operating system. This would be the
exception rather than the rule, however.
Certification in the form of a digital
signature improves the level of security.
This makes it clear who created the
container image, for what purpose, and
at what time. A general security strategy
can be summed up as follows:
• All components should originate from
trustworthy sources.
• It should be clear that their security
status is up-to-date and has not been
changed without authorisation.
• As an additional layer, SELinux should
be used on the container hosts to
shield running containers from the
host and from one another. SELinux
isolates the containers and only
allows access to necessary resources. This would also jeopardise all the other
container processes on this host. As a
preventive measure, the container host
must therefore be regularly updated
using the latest security updates.
Across the outside boundaries of a
container, it is theoretically possible for
malicious content to work its way from
one container image to the next and
finally even to the container host. Every
process running in a container context
has access to the kernel of the container
host, without any further explicit security
measures. In the worst case scenario, an
attacker may exploit a vulnerability in
the software running in the container. If
he then also finds a vulnerability in the
Linux kernel, he has successfully made
the jump to the container host. Using technologies and processes
such as microservices, containers,
and DevOps, IT departments are
able to respond quickly and flexibly
to new business requirements. The
prerequisites for this are provided by the
microservices architecture concept: The
applications are broken down into small,
loosely linked microservices, and packed
as a container on servers within the
enterprise or placed in the cloud. Since
containers are inherently dynamic and
volatile, and the container management
solution places them depending on
4. Service discovery
Program code and necessary dependencies are packed into an isolated package.
This is done either at an on-premise data centre or in a public cloud.
www.intelligentcio.com
INTELLIGENTCIO
73