Understanding Security Implications of Using Containers in the Cloud

Container technology is being adopted as mainstream platform for IT solutions because of high degree of agility, reusability and portability it offers. It is well-suited for achieving faster release cycle through DevOps model. However, there are challenges to address for successful adoption. First, it is difficult to establish the full pedigree of images downloaded from public registries. Some might have vulnerabilities introduced unintentionally through rounds of updates by different users. Second, non-conformance to immutable software deployment policies, such as those promoted by DevOps principles, introduces vulnerabilities and loss of control over deployed software. In this study, we investigate containers deployed in a production cloud to derive a set of recommended approaches to address these challenges. Our analysis reveals evidence that (i), images of unresolved pedigree have introduced vulnerabilities to containers belonging to third parties; (ii), updates to live public containers are common, defying the tenet that deployed software is immutable; and (iii), scanning containers and images alone is insufficient to eradicate vulnerabilities from public containers. We advocate for better systems support for tracking image provenance and resolving undesired changes to containers, and propose practices that container users should adopt to limit the vulnerability of their containers.

By: Byungchul Tak, Canturk Isci, Sastry Duri, Nilton Bila, Shripad Nadgowda, James Doran

Published in: RC25651 in 2017


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to reports@us.ibm.com .