Last Updated Mar 25, 2015 — App Management expert
App Management

A major focus in security is preventing system intrusion resulting from vulnerabilities in the software running on it. However an equally important consideration is mitigation and isolation – if an attacker is successfully able to compromise a single node in a system, how do you prevent the attack from spreading? Isolating a complex system into components that are fire-walled from each other (either via software or hardware) ensures that the attack surface of any given component is limited, and that a weakness in one component does not compromise the rest. In the age of ‘the cloud’, the traditional approach for servers has been to use virtual machines as a means of partitioning one physical machine into smaller logical units. While this is a tried and tested solution, it is far from ideal. Each virtual machine requires a complete filesystem, virtualized RAM and an entire operating system. In addition there is the overhead of the virtualization environment/hypervisor as well as the instruction translation layer between the virtualized kernel and the host kernel.

LXC Security Approach

Linux containers (LXC) takes a different approach. Dubbed an ‘operating-system level virtualization’ technology, containers actually share the same kernel as the host. Features such as kernel namespaces to restrict any given container’s view of the operating system it runs on, and cgroups allow resource allocations to be dynamically managed to ensure QoS. As with virtualization, containers cannot see processes running on the same kernel outside of its own namespace and have no direct access to real hardware. In mobile things are very different – devices have very limited physical resources (memory, CPU, battery) so no real virtualization solutions have ever come into prominence on these platforms. As these devices have a different usage model to servers, the security concept has been largely focused on ‘app’ sandboxing. In a way, the approach taken by LXC is more similar to sandboxing on mobile devices than virtualization. The ‘app’ can be thought of as a container, while the sandbox stays light by marshaling access to shared resources rather than creating virtualized ones. Another consideration with mobile is that it is much easier for an attacker to gain physical access to the device. In this situation containerization may not be enough – if you have physical access to the container, you can break in. One solution to mitigating this sort of attack is by reducing reliance on the operating system for protection, and additionally protecting what’s inside the container. At Apperian we offer Data At Rest (DAR) encryption as part of our app wrapping technology. Data At Rest ensures that all data persisted to disk by an application is transparently encrypted, ensuring the security of the contents of the container.

Are you ready to scale your enterprise?


What's New In The World of

August 14, 2023

Streamlining Application Development and Deployment for the Financial Services Industry

Enhance financial services with tailored strategies: secure apps, testing, efficient release & monitoring. Read on to learn more!

Learn More
June 23, 2023

Governance and Compliance for DevOps at Scale

Implement a Software Chain of Custody in DevOps for compliance, traceability, and cost reduction. Gain visibility and automate processes with Release & Deploy.

Learn More
April 30, 2020

Mobile Application Management: A Forward View

With the immediate shift to remote workforces and mobile app usage, learn what IT teams must have in place for enterprise systems of mobile apps via a Mobile App Management (MAM) solution for IT…

Learn More