A secure container is a lightweight, executable software package that has been isolated from other software or processes running on the same virtual or physical host. The purpose of containerization (also known as sandboxing) is to prevent intruders and malicious code from interacting with other applications and data in an unauthorized manner.
For example, in a mobile security context, a secure container might consist of a logical area of an employee's smartphone in which corporate applications and data are isolated from the owner's personal data and apps. This approach to using secure containers in mobile device management (MDM) is also known as dual persona.
Today, security and isolation concerns for containers are a top priority for industry vendors who have split their applications into services and microservices. Strategies for keeping containers secure include reducing the attack surfaces in container images, avoiding the use of public container images and implementing role-based access controls (RBAC) to limit privileges.
Container security strategies seek to limit what a container root user can do outside the container or the host on which the container runs. While most of the best-known techniques in container security restrict attackers' access to hosts and other back-end systems from compromised container instances, experts warn that prevention of unauthorized access to application programming interfaces (APIs) is critical, too.
The market for secure container tools is still emerging and selection and finding the right tool can be difficult, especially when large security and DevOps teams share responsibility for containerized applications. For example, the decision for whether to use Trend Micro or Twistlock may boil down to whether the customer prefers to have container security be a feature set of a more comprehensive security information and event management (SIEM) product or remain a dedicated product that is the sole focus of the security vendor's expertise.