For many enterprises, containerization enables a much faster pace of releasing consistent software more efficiently than VMs. At the same time, containers have introduced new deployment models requiring enterprise architects and security specialists to rethink the way they secure applications. At the RSA Security Conference, security experts evaluated new considerations required to securely implement a containerization strategy.
Enterprises have been secured with zones, using network and endpoint security, said Chris Hoff, VP and CTO of Security at Juniper Networks. But there have been complications as programmers seek to work more like Amazon. The process of adding a robust security infrastructure with audit controls, key controls and documentation requires more than a few hours to push out applications and updates. The real challenge is the transformation that cloud, DevOps and now containerization means for pushing security teams to be less siloed. This is especially difficult in large enterprises.
Container vendors focus on security
This dynamic creates a new layer of friction when the enterprise is trying to get updates out the door faster. Speed is key right now, said Scott Johnston, SVP Product at Docker. He is seeing a pick-up in containerization in industries like financial services to increase the speed with which they employ better trading algorithms and more efficiently address customer needs. Cloud and mobile firms are also rapidly moving toward microservice architectures to support a quicker pace of delivery.
Security needs to be a foremost consideration to prevent fraud and cyber-attacks. "We are aware that we cannot just brush away security," said Johnston. "Almost every release of Docker has an incremental security investment to make it easier for Ops teams to include policy at run time or for app developers to make it more secure."
Docker is investing heavily to improve the ability to shut off Linux kernel capabilities or allow Ops teams to manage a security policy independent of developers. It is also making considerable investments in infrastructure to create a chain of trust showing where the source code came from, who compiled it and who did the QA. "The onus is on both sides of development and operations," said Johnston.
Microsoft has also announced a major foray into new container infrastructure that can work across Azure and private clouds. It is conducting research on new security models to secure containers in a variety of private, public and hybrid cloud scenarios, said Mark Russinovich, CTO of Azure at Microsoft. Drawbridge is a Microsoft research project for creating containers with strong isolation boundaries to host untrusted code. In addition, their Haven prototype helps to protect a VM or container when the operating system is compromised.
Moving from network to app security
Network-based security makes a lot of sense when applications are provisioned to run for months or weeks at a time. But things become more dynamic with the move to microservices, said Docker's Johnston. The first microservices were provisioned across a single server, but things are getting more complicated as organizations deploy these collections across multiple servers and data centers.
Software defined network (SDN) functionality, including firewalls and routers, has been developed to support a handful of VMs. But now, tens of thousands of containers can exist for milliseconds. "We are not trying to apply yesterday's security model to containers," said Johnston. This kind of new approach needs to consider how to provision firewalls and load balancers in concert with applications.
Scott Johnston, SVP Product at Docker
It can be a difficult transition for organizations that built a security model around securing their network. Juniper's Hoff observed that it is tough to get people who don't even know how to spell VM to provide advice on segregating this kind of more Agile infrastructure. It is not really so much a security and policy discussion as it is compliance.
In the past, IT operations teams would choose the kind of networking and infrastructure security tools to be used. Now it is DevOps choosing those tools and making sure they are available, said Microsoft's Russinovich. The traditional model was that IT was responsible for network security, but this model is very different.
Teaching security teams to code
At the end of the day, containerization is not just about a technology shift. It also requires rethinking processes and tools. For example, when ING Bank adopted DevOps, they mandated every team member should be a programmer, which took the cycle time for new apps from a matter of months to just days. Security teams will to have to learn how to program as well.
Cloud and virtualizations have been around for a decade, while containerization is only in its first year, said Docker's Johnston. It could take another decade before containerization security practices fully catch up.
App containers vs. Linux containers
Discover three containerization methods used to secure corporate data
Test your knowledge of secure container technology