Secure Containers     


Secure Containers - overview

Containers have become a platform of choice for most modern application. As container adoption moves to production environments, container security becomes greater and greater concern.

Containers have for long been considered a less secure virtualization option compared to virtual machines. One intrinsic property of containers that makes this concern valid is the size of the interface between a container and a host kernel: this interface is large and therefore very hard to secure. Other security concerns are related to the maturity of the technology and the fact that security tools and processes have not kept up with container evolution and adoption.

On the other hand, containers offer unique new opportunities to simplify and strengthen security and compliance management. These opportunities come from light-weight packaging and transparency. Containers facilitate the implementation of DevSecOps model by fostering runtime immutability and allowing security checks to be moved to the DevOps tool chain. They allow decoupling of security functions from applications, moving these security functions to the platform where they are offered in a built in and tamper proof manner.

Considering these advantages, it not hard to imagine containers becoming technology of choice not just for their portability and agility, but even more so for their impact on security and compliance. Our research explores this opoortunity and aims to make container platforms the most secure place to run high-value data-driven applications.

We research technologies in the following areas:

  • Deep container visibility and analytics
  • Techniques to audit and enforce container integrity
  • Strong container isolation
  • Container content protection via encryption and image signing
  • Techniques to reduce the attack surface on the kernel and a container
  • Software and hardware enclave techniques for container privacy
  • Container trusted identity and identity-based data fencing

Many of our technologies are developed as open source projects in collaboration with communities. Here are some examples: