One of the most common misconceptions about containers is that they act as light virtual machines (VMs). Containers create an isolation boundary at the application level rather than at the server level. This isolation means that if anything goes wrong in that single container it only affects that individual container and not the whole VM or whole server. That leads many people to think they are perfectly isolated—but they’re not. A malicious container can influence the execution of other containers through the common kernel (the core of the operating system) by exploiting a kernel vulnerability or leveraging the privileges of the compromised container.
Because containers roll an application together—with its dependencies and interfaces—into a single re-deployable unit, a container can be run on any host system with the appropriate kernel components while shielding the application from behavioral inconsistencies due to variances in software installed on the host.
Multiple containers can be run on a single host OS without the use of a hypervisor, while still being isolated from neighboring containers. This layer of isolation introduces consistency, flexibility, and portability that enables rapid software deployment and testing.
To learn more about containers and how they can keep your cloud data secure, check out our white paper, “Cloud Security and the Containers Approach.”