Andrea Danti - Fotolia

Container security tools abound, but IT pros await big vendors

Container security startups peddle unique approaches, but while some early adopters jump on board with fledgling vendors, a majority will watch for industry consolidation first.

Security tools will be crucial to production container deployments at enterprises, but IT pros face a Catch-22 with vendors: Early stage startups offer innovation, but traditional products still hold their trust.

Some large enterprises are intent to deploy containers in production and won't wait for big companies to update existing products or buy smaller container security toolmakers. But much of the enterprise IT market will remain on the sidelines until those things happen, which will slow the march of container adoption overall.

Industry analysts said they're surprised the big fish in the IT security market have yet to swallow up more than a dozen container security startups that have emerged in the last year.

"I thought we wouldn't leave the Black Hat conference last year without a couple of cloud and virtualization security companies being purchased, but most were not," said IDC analyst Sean Pike. "I expect to see buying happening later on this year."

An exception to this slow consolidation pattern is Tenable Network Security, which acquired container security toolmaker FlawCheck in 2016. Tenable's Nessus platform was already in use at enterprises such as ServiceMaster, based in Memphis, Tenn. ServiceMaster already used Tenable's IT security tools to monitor its network infrastructure before it adopted containers, and it added FlawCheck in 2017 for container image scanning.

"They brought FlawCheck to us," said Thomas Davis, ServiceMaster's director of security. ServiceMaster was willing to take the plunge based on trust it had built up in Tenable's other products. Davis evaluated container security tools from stand-alone vendors, such as Aqua Security and NeuVector -- which include runtime protection that monitors container network behavior for malicious actions -- but didn't adopt them.

Instead, ServiceMaster established an immutable infrastructure approach to its container deployment, in which entire container pools are spun up and torn down for each change. This immutable infrastructure approach places an emphasis on sound design of container images before deployment, rather than behavior monitoring over time.

Deepfence, Layered Insight tout better container security mousetraps

If it's just a Docker[-based] microservice, the scale at which we can use that will eventually be phased out.
Vivek Shrivastavasenior vice president of engineering, Société Géneralé Global Solution Center

Container security startups have made some inroads among enterprises, even if the bulk of the market is wary. Société Générale Global Solution Center (GSC), a subsidiary of the French financial company based in Bangalore, India, focused on application development and new technologies, has some 6,000 employees in IT, and launched one of the largest global deployments of Docker Enterprise Edition container orchestration this month. Soon, it will deploy a tool from Deepfence Inc. into production. Deepfence emerged from stealth in February 2018.

GSC evaluated Docker's Security Scanning feature for static image analysis, but wanted a runtime container security tool, as well. And the firm was puzzled to find Docker security products didn't include a container runtime security tool. Deepfence, which offers both image scanning and runtime container security tools, was the next best thing, said Vivek Shrivastava, GCS's senior vice president of engineering.

"You can have both image and runtime security built in as part of Deepfence," he said. "Otherwise, you keep looking for different ways to solve different problems in security."

Deepfence container security tool
The Deepfence container security interface.

Other vendors* also perform both image scans and runtime container security analysis, but Shrivastava favored Deepfence's architectural design. The Deepfence product uses a sidecar container that runs in user space when it monitors other containers and isn't dependent on kernel modules to do that monitoring, which Shrivastava said he believes will reduce performance overhead on each host.

Deepfence combines a rules-based container security tool with an AI technique called semantic patching to identify zero-day attacks, as opposed to a method which focuses on AI to identify anomalous container behavior.

Another container security tool provider, Layered Insight, touts an even less kernel-intensive approach -- one that injects security into container images without requiring any privileged access to the host. Layered Insight came out of stealth in late 2017 and has just closed its first two customer deals, company officials said. Layered Insight also claims its integration with DevOps pipeline tools makes the injection of container security code transparent to application developers.

Deepfence and Layered Insight have yet to earn enterprise trust, but Layered Insight's approach may be a better fit for hosted container environments, such as AWS Fargate, in the long run, said 451 Research analyst Fernando Montenegro.

"How will a sidecar approach behave in an environment where you don't have access to the host, such as AWS Fargate?" Montenegro asked.

Some IT ops pros favor the sidecar architecture because it gives them more control at the infrastructure level, but developers ultimately don't care about infrastructure, and ops and security teams must adapt to that reality, he said.

GSC's Shrivastava said his company is on its way to a full container conversion, but that will take years. In the meantime, he said he would like to explore using Deepfence on applications that don't run in containers.

"If it's just a Docker[-based] microservice, the scale at which we can use that will eventually be phased out," Shrivastava said. 

*Editors note: An earlier version of this story erroneously implied that other vendors’ architectures depend upon kernel modules and do not use sidecar containers. It also erroneously stated that the Deepfence product does not support non-container workloads; it does through an API interface, according to Deepfence CEO Sandeep Lahane. 

Dig Deeper on Containers and virtualization

Software Quality
App Architecture
Cloud Computing
Data Center