Containers are a big topic of conversation right now — and for good reason. They represent a powerful and transformative shift toward infrastructure that can enable flexibility and rapid development unlike anything we’ve seen before. However, as containers continue to proliferate, so do the security and compliance issues that surround them. Many in the market do not fully understand these concerns or how to address them. Our recent report with ESG Strategy Group (Threat Stack Cloud Security Report 2017: Security at Speed & Scale) bore this out.
Containers cannot solve every development or infrastructure problem; they are not the panacea that many believe them to be. But they do offer new opportunities that, when used properly, can move your organization forward.
However, like many groundbreaking technologies in the hockey-stick growth phase, containers have not yet developed clear best practices when it comes to security and compliance. Unlike the cloud, there are not many universally applicable and widely understood rules for configuring and maintaining containers.
The ESG Survey Says…
Here’s what we learned from surveying SMBs and mid-tier enterprises about how they are using containers today:
- 42% of respondents said that they have already deployed containerized product applications.
- 23% plan to deploy containerized apps over the next year.
- 22% plan to start testing containers over the same timeframe.
These are significant statistics. It means that about 90% of respondents will be using containers in some way within the next year. Impressively, this represents a growth rate of more than 100% year-to-year.
Now, let’s take a look at where the security and compliance concerns are coming from. Our survey revealed that 94% of respondents believe containers have security implications. That’s a good sign — acknowledgement of these implications is the first step toward addressing them. The concerns range from company to company, but compliance seems to rise to the top for many organizations. In fact, compliance concerns are the number one issue that respondents identified, primarily due to a perceived lack of visibility into containers.
Nearly one third of respondents (31%) indicated that they are worried about the lack of mature security solutions for containers. The same percentage stated that their current server workload security solutions did not support containers, which means they will have to add a new tool — leading to new costs and increased complexity. Another 28% are concerned that a single infected container could easily spread to others, while 16% identified the portability of containers as a reason why they could be more susceptible to “in motion” compromise.
These are all valid security concerns, and ones that every organization would do well to research before adopting containers en masse.
Where is the Market Headed?
As adoption of containers continues to increase, so too do the concerns around security. A lack of sufficient solutions to address this is a primary reason companies are fearful. Many respondents don’t believe that their existing tools can adequately secure containers, and in many cases these fears are valid.
That said, the fears outlined above can be allayed by the implementation of a comprehensive intrusion detection platform (IDP) that is infrastructure-agnostic (from on-prem to cloud to container) and that is able to catch and respond to everything from configuration errors to garden variety malware to advanced persistent threats.
With market penetration for containers predicted to hit 90% within the year, it is fair to say that containers represent both opportunity and challenge. For those who are able to approach them with clear eyes and understand what purpose they serve and what strengths and weaknesses they have, containers can be a key part of many growth strategies.
For more information, feel free to download the full Threat Stack / ESG report: Threat Stack Cloud Security Report 2017: Security at Speed & Scale.
Cloud Security Report 2017
Understand the state of the industry and the gap between security and compliance readiness.