Edera’s Big Container Security Question: Am I Isolated?
Kubernetes security company Edera has announced an open-source container security benchmark that probes users’ runtime environments and tests for container isolation. The emotively named Am I Isolated is essentially a security posture grading and measurement tool.
Still a work in progress with a certain amount of prototyping and development yet to come – hence the inherently open-source nature of the project – Edera evaluates a given runtime environment and attempts to look for operational elements of code execution that could represent a security problem. It also provides suggestions for solving the security problem when it has the background knowledge to do so.
Created in the Rust programming language, Am I Isolated works as a container runtime scanner by running as a container itself. As it works to detect gaps in users’ container runtime isolation environments, it also provides guidance to improve users’ runtime environments to offer stronger isolation guarantees.
Container Runtime Isolation, Why Bother?
Now an accepted part of workflows found inside DevOps and platform engineering teams, container runtime isolation is the process of separating containers from the host operating system and the other code execution processes that may be occurring inside any given computing environment.
Why is that useful? First, because it’s quite simply a sensible system robustness check. Second, it’s not uncommon for development teams to concentrate on container structure form and function first… and then worry about security considerations afterward. Third (and we could keep going but let’s stop here for now), analysis at this level which performs isolation of resource use (such as CPU, system calls, memory and so on) lays the ground for a cleaner architectural model that can be scaled upwards in the future.
Containing Container Escapes
“The threat of container escapes is resulting in millions in lost revenue for enterprises. Companies are either spending unnecessary dollars running separate Kubernetes environments for untrusted containers or they’re using too many expensive and antiquated tools that don’t solve anything,” said Emily Long, co-founder and CEO at Edera. “It’s time to change the way containers are run and secured and that means solving for escapes. Visibility into your level of vulnerability is the first step. We’re excited to bring this tool to our customers and the community at large.”
Edera uses a type 1 hypervisor to offer isolation at the container level for the first time, enabling (so claims Edera) companies to realize the original promise of Kubernetes and to move quickly to run GPUs for emerging AI workloads. Instead of running containers in Linux namespaces, Edera’s platform treats a container like a virtual machine guest. There is no shared kernel state between containers, and a memory-safe Rust control plane further secures workloads.
Better Blast Radius
“Containers are ‘just processes on a host’, so isolation is critical to workload and multi-tenancy security because it limits the blast radius of container escapes and security incidents. Am I Isolated also probes for ambient privileges and common misconfigurations made by DevOps teams and platform engineers when setting up their containerized applications or container runtime environments. It provides ongoing testing against container escape techniques,” notes Long and team, in a press statement.
Edera can be used anywhere users run their containers (public cloud, private cloud and on-premises) and doesn’t require virtualization extensions or custom infrastructure. Am I Isolated is free and open source and can be downloaded on Edera’s GitHub.