Академический Документы
Профессиональный Документы
Культура Документы
These tools are not equivalent, therefore a direct security comparison isn't an
apples-to-apples comparison. In the case of VMs vs. containers for security,
each requires a different tool set, an understanding of vastly different security
models, and familiarity with an entirely different orchestration ecosystem. It also
depends on the particular use case.
Page 1 of 7
VMs vs. containers: Which is better
for security?
The salient questions become instead then: What security properties do each
have? and How are they used in furtherance of security goals?" Some
explanation -- and a deeper dive under the hood -- is advantageous to help
practitioners consider how these tools fit into their organization's risk profile.
OS virtualization security
Between the virtual data center, hybrid cloud and IaaS, most technology and
security practitioners have experience with OS virtualization. A key feature of
OS virtualization is the strong segmentation boundary -- both between virtual
hosts and between any given virtual host and the hypervisor.
There are some potential security downsides. Management issues may arise,
particularly at scale. Issues such as undesired proliferation of images and
Page 2 of 7
VMs vs. containers: Which is better
for security?
The ease with which developers and engineers can virtualize and migrate
existing physical devices cuts both ways: Migrating these devices easily to a
hypervisor will potentially bolster their security in the process, but in a poorly
managed environment those same devices can translate to problematically
configured hosts popping up in unexpected places and times in a given
ecosystem. Over time, artifacts can collect on virtual images even in a highly
disciplined environment; out-of-date operating systems, legacy middleware or
old software libraries may be to blame.
Page 3 of 7
VMs vs. containers: Which is better
for security?
Page 4 of 7
VMs vs. containers: Which is better
for security?
Container security
Application containers, by contrast, have different properties, some of which
bolster security and -- depending on usage -- some that can undermine it. A key
property of containers is a more porous segmentation boundary relative to OS
virtualization.
Page 5 of 7
VMs vs. containers: Which is better
for security?
applicability for some situations. For example, a security team might decide
against a high-security application in a multi-tenant situation.
That said, there can be potential security advantages depending on what you're
trying to do -- just like with OS virtualization, there are pros, as well as cons.
The use of containers fosters a mentality of old container elimination and
subsequent redeployment. They aren't used long enough to develop
personality. In the OS virtualization world, instances can live long enough to get
stale: collecting backup files, old software artifacts and configuration tweaks are
a few examples.
By contrast, a container will almost certainly be torn down and rebuilt when
changes need to be made. This provides a security benefit. Beyond this, don't
underestimate the security value that can be realized by allowing you to
componentize application components or services that would otherwise be on
the same virtual or physical device. This adds value to a broader, security-
aware microservices-based deployment model.
The point is, to compare VMs vs. containers and ask "which is more secure" is a
bit like asking "which is more useful: a hammer or a banana?" It depends
entirely on the usage context. The banana makes for a better breakfast, but
don't try to hammer in a nail with it.
Page 6 of 7
VMs vs. containers: Which is better
for security?
© 2019 TechTarget. No part of this publication may be transmitted or reproduced in any form or by any means w ithout
w ritten permission from the publisher.
Page 7 of 7