Skip to main content
App management icon

This post is from the Apperian blog and has not been updated since the original publish date.

Last Updated Mar 25, 2015 — App Management expert

Linux Containers for App Security

App Management

A major focus in security is preventing system intrusion resulting from vulnerabilities in the software running on it. However an equally important consideration is mitigation and isolation - if an attacker is successfully able to compromise a single node in a system, how do you prevent the attack from spreading? Isolating a complex system into components that are fire-walled from each other (either via software or hardware) ensures that the attack surface of any given component is limited, and that a weakness in one component does not compromise the rest. In the age of ‘the cloud’, the traditional approach for servers has been to use virtual machines as a means of partitioning one physical machine into smaller logical units. While this is a tried and tested solution, it is far from ideal. Each virtual machine requires a complete filesystem, virtualized RAM and an entire operating system. In addition there is the overhead of the virtualization environment/hypervisor as well as the instruction translation layer between the virtualized kernel and the host kernel.

LXC Security Approach

Linux containers (LXC) takes a different approach. Dubbed an ‘operating-system level virtualization’ technology, containers actually share the same kernel as the host. Features such as kernel namespaces to restrict any given container’s view of the operating system it runs on, and cgroups allow resource allocations to be dynamically managed to ensure QoS. As with virtualization, containers cannot see processes running on the same kernel outside of its own namespace and have no direct access to real hardware. In mobile things are very different - devices have very limited physical resources (memory, CPU, battery) so no real virtualization solutions have ever come into prominence on these platforms. As these devices have a different usage model to servers, the security concept has been largely focused on ‘app’ sandboxing. In a way, the approach taken by LXC is more similar to sandboxing on mobile devices than virtualization. The ‘app’ can be thought of as a container, while the sandbox stays light by marshaling access to shared resources rather than creating virtualized ones. Another consideration with mobile is that it is much easier for an attacker to gain physical access to the device. In this situation containerization may not be enough - if you have physical access to the container, you can break in. One solution to mitigating this sort of attack is by reducing reliance on the operating system for protection, and additionally protecting what’s inside the container. At Apperian we offer Data At Rest (DAR) encryption as part of our app wrapping technology. Data At Rest ensures that all data persisted to disk by an application is transparently encrypted, ensuring the security of the contents of the container.

More from the Blog

View more
Apr 30, 2020

Mobile Application Management: A Forward View

App Management
  IT Is Adapting in the Midst of the COVID-19 Pandemic The Coron ...
Read More
May 19, 2019

Sneak Peek: How Are IT Leaders Driving Mobile App Adoption?

App Management
Apperian conducted the The Mobile Enterprise Application Survey to fin ...
Read More
Jan 30, 2019

Part 1: App Security Should Be an Integral Part of Your DevSecOps Process — Not an Afterthought

Application Security
What are the key considerations and components of DevSecOps? The in ...
Read More
Dec 27, 2016

Predictions for 2017 - Where is Enterprise Mobility Headed?

App Management
The new year is around the corner and as we look back at 2016 it was a ...
Read More
Contact Us