Not an option, not a feature: Why Linux container security should be organic

Image via aroberts

If you pay any attention at all to the world of food or food production (I mean, we all eat, right?), you’ll notice a distinct trend emerging - many producers are also starting to label their foodstuffs as “organic” or “all-natural.” More than just food, however, organic can also apply to Linux containers - specifically, Linux container security.

It’s not as crazy as it sounds. Think of “organic” container security as built-in - the security is inherent to the code (genetics) of a specific solution, built from the ground up along with the rest of a solution’s features. So what’s “non-organic” container security look like it? It’s more of a “bolt-on,” where code is added after the container solution is built to make it more secure.

While the bolt-on container security approach may work, these security features often add more complexity or, worse, closed/proprietary code to a solution. Going back to the culinary world, this is similar to heavily-processed/artificial food - you don’t know exactly where the modifications to the genetic code took place and you aren’t sure exactly what was modified, but you’re told that it’s okay for you to eat.

That may be fine for food (we have the regulatory bodies for a reason), but it may not be okay for software that’s intended to run on mission-critical systems.

Security as a Fundamental Tenet, Not a Feature (and Certainly Not an Option)
Red Hat’s entire approach to software security, not just container security, can be considered organic. For us, security isn’t a “feature;” it’s a fundamental, core part of our products that is a focus from day one. We start at the upstream level by engaging and collaborating with the upstream communities that create open source code, ultimately helping to drive the creation of more secure software from inception.

We then keep this focus on security as this upstream software moves through the hardening and productization of the open source code - there’s no “open core” or “add-on” bits. For our container technologies, including Red Hat Enterprise Linux Atomic Host and OpenShift, our container application platform, we leverage OpenSCAP (a more secure software scanning protocol) and, of course, SELinux, a Linux kernel security module that provides support for mandatory access control policies, among other open source security components.

These aren’t features nor are they add-ons - they’re fundamental components of our solutions. In this way, we provide security organically - we don’t sell something extra, nor do we try to slap on closed code. We understand that security isn’t a feature, it’s a process that has to start on day one.

Security’s No Compromise...and Neither is the Operating System
Shocking though it may be, the security debate around containers, from organic to artificial, boils down to one simple concept: the operating system. Red Hat has long said that the operating system matters, no matter how abstracted the various layers of the computing stack become, and security is one of the primary reasons.

A more secure foundation for container implementations is critical, and something that Red Hat has been providing for more than a decade with Red Hat Enterprise Linux. Hardened code, integrated software security functionality and quicker responses to vulnerabilities are just a few of the components that have made Red Hat Enterprise Linux the world’s leading Linux platform in the data center, and we bring these same technical achievements and expertise to Linux containers.

There’s no one silver bullet for running Linux containers - when it comes to the magic word, some players push “small footprints” while others shout about management or speed. It’s not just one of these things that matters the most - they all do, and security is high on the list. Red Hat is a leader for not only containers, but also delivering an ecosystem for Linux container deployments, from the operating system to orchestration to management...all delivered with more secure computing technologies and the support for which we are known.

Scanning Isn’t Enough
Beyond our technology, we don’t just provide tools for scanning container content - we actually provide patches and updated container images when exploits hit. Scanning is easy, updates are hard. As we’ve said previously, Red Hat does not throw our hands up in the air when a vulnerability is found, leaving our customer to fend for themselves; we help do the heavy lifting of patching, respinning, certifying and validating container images. We have the technology AND the technical expertise to do this, and we’ve been doing it for a long time, both within and without the world of Linux containers.

I believe Linux containers represents the future of enterprise applications, and possibly computing as a whole; relying on closed, lab-grown or bolted-on features to help secure these vital resources may not be good enough. I believe organic container security is the way forward, and Red Hat is helping to lead the way.