The Race for Security: Can VMs and Containers Really Compete?

The Race for Security: Can VMs and Containers Really Compete?

Although they have vastly different architectures, virtual machines (VMs) and containers both reliably run software when moved from one computing environment to another. Some have claimed containers will overtake the use of VMs, but until containers evolve to a level of sophistication and maturity that strongly secures data, the two technologies will be complementary.

The advantages of a container outnumber those of a virtual machine, including the fact that containers are more lightweight and use fewer resources than virtual machines. A crucial milestone in the rapid adoption of containers in production environments is the issue of security…. and it is a big one.

Individual vs. Shared

The way in which an operating system is integrated into virtual machines versus containers differs in the number of systems running. A single VM requires its own operating system. So if a server is running three VMs, it will run three separate operating systems.

A container runs one operating system and shares the single kernel with other containers on the server. This is more efficient than running full hardware virtualization. The downside is that once a hacker has access to a single container, s/he then has access to a whole operating system, which has far greater repercussions than if a hacker were to break into an isolated VM.

D.I.Y vs Dependent

Containers are an excellent example of “do-it-yourself” tech. They can be created and managed by anyone, not just an IT team. This helps simplify software mobility, and takes significantly less time to develop and deploy software. On the other hand, this do-it-yourself approach can lead to situations where containers are not security-hardened appropriately, especially if assembled by users that are not security experts.

A VM requires a more complicated set-up and takes longer to assemble - it usually requires multiple people to develop, assemble and run a single VM, allowing more control gates for assessment, but also longer processes and lower capacity. Software, such as VMware, can maintain a large infrastructure of VMs, equipping users with a much broader and more secure management system.

Short vs. Long Lifecycles

VMs have a longer lifecycle than containers. They also take longer to deploy and are generally used for longer periods of time. Consequently, VMs are usually developed with a higher level of security that is ‘built to last’ their longer life cycle.

Containers, with much shorter lifecycles than VMs, are more dynamic in use. They take less time to implement, operate and monitor and can quickly change direction and function. This is a significant part of their appeal, which means that they are often used for small, short tasks that require the container for hours, minutes or even seconds. Unfortunately this also means that the time it would traditionally take to secure the container would be longer than the time they would be in use. So this critical step is often skipped, making containers far more vulnerable to attacks - all it takes is seconds for a vulnerability to be exposed.

Mobile vs. Static

Containers were named for their most attractive feature: their ability to be easily “shipped.” Containers are far more mobile than VMs because they can launch and run applications within seconds, whether it’s from an onsite operation or in a private or public cloud. Moving these computing environments becomes second nature rather than a time consuming hurdle. This reduces the cost of running and transferring new technologies but complicates the security measures that are needed to protect such workloads

VMs have a more complex framework, making them more difficult to move between environments. This controlled status of VMs allows for security that has been developed, tested and used more frequently. Due to their static nature, they are more predictable and therefore easier to control and secure.

Security is the Next Step for Containers

Although VMs have been around for longer, and over time have solidified security practices and tightened processes, containers’ unique advantages mean that they will be around to stay, as exemplified by their lightning-fast adoption to date. How much of the VM share they will take over, as opposed to expanding the market, is yet to be seen. As the two technologies are currently complementary, VMs provide secure environments and containers (currently) provide portable solutions. But the security shortcomings of containers are quickly being overcome with newly developed container security solutions, such as Scalock.

Download 'Security for Containers: 5 Things DevOps Need to Do' eBook Today!

Dror Davidoff

Dror is the Co-Founder and CEO at Aqua. Dror has more than 20 years of experience in sales management, marketing, and business development in the enterprise software space. He has held executive positions at several emerging IT security and analytics companies. Before co-founding Aqua in 2015, he headed up global sales of Database Security Products at McAfee (Intel Security), and prior to that was EVP of Sales and Business Development at Sentrigo where he led its fast market share increase. Dror holds an MBA in Finance from City University of New York and a BA in Economics. He likes to start his day with an early morning swim in the Mediterranean.