- Security News
- Security Technology
- Security by Design: A Checklist for Safeguarding Virtual Machines and Containers
Virtualization and the cloud are a boon for developers and businesses that create applications. Virtual infrastructures give businesses and developers cost-effective, dynamic, and agile ways of providing their products and services or deploying their own applications. With the public cloud expected to grow into a US$178-billion market this year, there’s an evident shift toward automation and scalability in pushing out applications.
But as businesses and developers strive to move faster to keep pace with deadlines and demand, security lags behind and, more often than not, is skimped on. A 2017 survey by the SANS Institute, for instance, reported that 15 percent of organizations succumbed to data breaches due to unsecure applications in the past two years, and as many as 10 percent of organizations said that no security testing at all was being done on their mission-critical applications.It’s little wonder that DevOps is gathering steam, both as a software engineering culture and as a set of tools that meld software development and information technology (IT) operations toward agile development and deployment. Gartner estimates that, by next year, 70 percent of DevOps-related initiatives from enterprises will incorporate and automate security in the applications they use, create, or deploy.
[RELATED: App Security for Developers]
Securing virtual environments is no different from safeguarding the applications themselves. Here are some considerations and best practices that developers, IT operations professionals, and system administrators should take into account in securing the infrastructures that power the applications they use.
Preventing security gaps in containers and virtual machines
Having differing scopes and requirements in their workloads, organizations use virtualization technologies according to their respective needs. For example, virtual machines (VMs) are a better fit for developers and enterprises looking for flexibility in running multiple applications, while containers are better for those requiring scalable applications.
Containers and VMs both offer means by which applications can be run multiple times or isolated within a single platform, but they differ in how they do it. Containers virtualize an operating system (OS) to run various workloads in a single OS instance, while VMs virtualize hardware to run instances of the OS.
Thus, every instance of applications running on containers and VMs poses a potential attack vector if it is vulnerable or misconfigured. An instance running with unnecessary ports still set up on the container or VM, for example, can be exploited to let hackers sneak into the application’s server.
Container images must also be vetted for vulnerabilities. They are constantly added to a repository, overwritten, and rehashed (if open-source) — actions that increase the risks of their having security flaws. The SANS Institute’s checklist for auditing Docker-based containers is a good starting point for assessing containerized applications and host OSs.
[RELATED: What is serverless computing and what does it mean for DevSecOps]
The hypervisor manages how guest OSs access resources such as the central processing unit (CPU), memory, network, and storage. It partitions the resources to prevent the instances from intruding into one another’s resources. The hypervisor is the underlying infrastructure behind applications running on VMs, which makes their security of paramount importance. The U.S. National Institute of Standards and Technology has detailed recommendations for securing the hypervisor:
[InfoSec Guide: Mitigating Web Injections]
Images are the blueprint of containers, which use them to spin or run applications. A vulnerable image begets a malware- or hacking-prone container, and consequently, the application itself becomes prone to malware or hacking as well. Identifying security gaps (such as unsecure code) pre-runtime and fixing them accordingly before the image is scheduled in an orchestration environment will significantly save time and effort reworking on builds, as well as reduce overhead and disruptions in the application’s life cycle:
Experts predict that this year, intelligent enterprise resource planning-based (i-ERP) applications, which are typically hosted on cloud platforms and designed to manage and automate business processes, will be the benchmarks that 15 percent of Global 2000 enterprises will use to improve their bottom lines and enrich customer experience. Indeed, virtualization and the cloud are increasingly transforming the ways personal and mission-critical data are handled and processed.
But it’s not just about securing containers and VMs. Regardless if an organization’s workloads are under the physical, virtual, or cloud infrastructures (or any combination thereof), maintaining and securing them can be daunting. True to the DevOps culture, streamlining is the name of the game. Whether using virtual machines or containers (or both at the same time) to test, run, and deploy applications, their security shouldn’t be a roadblock. Incorporating security into the very infrastructures that drive applications to work not only helps thwart threats, but also reduces business risks to organizations.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.