Hi security professionals,
Both Containers and Virtual Machines are software technologies that run in a virtualized environment. What are the differences between the two?
Are there unique security challenges associated with each technology?
Mainly, VMs are more "heavy" way (in terms of size, startup time and support), while containers are more "lightweight" and modern technology. But VMs could handle some scenarios that containers could not support. Also, VMs are theoretically more secured, because they provide a lower layer of isolation (hypervisor level). But you could implement a proper level of security with both approaches.
Mainly, in 99% of cases, I would recommend using containers instead of VMs.
If you are talking about the difference between VM in the sense of Virtual Machines (e.g. Guest Machines) vs Containers (Docker, OpenShift, etc) then there are multiple differences.
VM is a virtual machine which means OS, CPU/Disk resources, it's a "heavier" configuration than a container but in some cases uses the same security and IT guidelines as BareMetal servers and in other cases require a dedicated security approach.
Containers take VM to the next evolution, not only it abstract the physical requirements to virtual resources (the way VM operates) but it enables deeper virtualization of environments (OS + Resources + Apps + support environments, etc.) to a container unit managed by a master unit with separation of environments for operation and security concerns, containers also complement advanced application configurations such as Microservices.
Leading VM vendors now support VM and containers on the same virtual system.
Security-wise the challenges differ:
1. There is a need to support East-West Traffic in the virtual switch
2. Micro-Segmentation should be utilized since Macro-Segmentation (VLAN) is usually unscalable or simply can't support the security requirement of a highly virtualized environment.
1. Inter and Intra Container threat analysis and security governance is required.
2. Nano-level segmentation (container level) is required.
https://docs.microsoft.com/en-... - here is a simple 1 pager that describes it.
What are the different types of tools that should be used together in DevSecOps?
What are the specific tools that you like to use when working on your DevSecOps pipeline?
What is essential, and what is a nice-to-have?