BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
As was once said by Silicon Valley celebrity Marc Andreessen, "software is eating the world." In a similar way, containers are eating the world of software. Applications are moving from VM-heavy infrastructure to lightweight container-driven ones.
However, in the rush of this mass migration to container-based infrastructure, many IT operations teams have been left wondering how to structure governance for a completely new infrastructure stack. Luckily, a containers-as-a-service platform can help organizations acclimate themselves to this new kind of infrastructure.
How containers as a service can help
Once container images achieve wide use in an organization, it's important that high-impact issues related to security and governance are identified immediately. This should then trigger rebuilds of parts of the application that might be impacted or are vulnerable. This is where a containers-as-a-service platform can help implement governance at scale in a decentralized model and still keep it robust.
Many containers-as-a-service platforms are also designed for security. Running microservices applications in a container environment designed for security gives developers the convenience of using containers, while maintaining high levels of image quality and security. Rich Sharples, senior director of product management at Red Hat, commented that the company's containers-as-a-service platform, OpenShift Container Platform, "ensures some services can only be accessed through more secure means (using Transport Layer Security) and only from certain locations (domains, IP address ranges)." Containers demand a new approach to governance and security, and rather than build this model from the ground up, it may be better to go with a battle-tested platform that has governance baked into it at every level.
Enabling needed network security
Securing services at the network layer is extremely important. This is typically done through policy-based network security. In this method, services access resources from the system, and other services take only as much as they need and no more -- a practice that is in line with the principle of least privilege. Tools like Project Calico are enabling this kind of network security and are ushering in a modern service mesh that is secure at scale.
Security goes from being a single peripheral firewall to a collection of small, secure services. It's a lot easier to secure these small services, and the attack surface is reduced because each service is isolated from the others. Even if one service is compromised, the other services are theoretically safe. This is not the case in a traditional monolithic application, where the entire application is compromised once the peripheral firewall is cracked.
This is another area where a containers-as-a-service platform can help, because a great thing about the container tooling available today is that the tools are well-integrated with each other. For example, the OpenShift platform provides a managed service for Kubernetes with built-in security features, as well as full support for tools like Project Calico.
Access our developer guide to container and microservices deployment
Learn why microservices and containers are complicating cloud-native security
Discover how to brace your infrastructure for the introduction of microservices