Operating system (OS) virtualization provides a separate virtualized view of the OS to each application, thereby keeping each application isolated from all others on the server. Each application can only see and affect itself. Recently, OS virtualization has become increasingly popular due to advances in its ease of use and a greater focus on developer agility as a key benefit. Today’s OS virtualization technologies are primarily focused on providing a portable, reusable, and automatable way to package and run applications (apps). The terms application container or simply container are frequently used to refer to these technologies.
The purpose of the document is to explain the security concerns associated with container technologies and make practical recommendations for addressing those concerns when planning for, implementing, and maintaining containers. Many of the recommendations are specific to a particular component or tier within the container technology architecture, which is depicted in Figure 1.
Organizations should follow these recommendations to help ensure the security of their container technology implementations and usage:
Tailor the organization’s operational culture and technical processes to support the new way of developing, running, and supporting applications made possible by containers.
The introduction of container technologies might disrupt the existing culture and software development methodologies within the organization. Traditional development practices, patching techniques, and system upgrade processes might not directly apply to a containerized environment, and it is important that employees are willing to adapt to a new model. Staff should be encouraged to embrace the recommended practices for securely building and operating apps within containers, as covered in this guide, and the organization should be willing to rethink existing procedures to take advantage of containers. Education and training covering both the technology and the operational approach should be offered to anyone involved in the software development lifecycle.