Container Security and the Multi-cloud Control Plane: More than Just the Image
A cynic might conclude that “image” has more than a little to do with the phenomenal interest in containers and microservices right now. But just like the security required beyond the “image,” container technology is now beginning to offer far more to the agile enterprise.
Nearly two decades ago containers, as we call them today, began as methods to virtualize UNIX operating systems in order to provide process separation with high levels of efficiency. From these humble beginnings, a movement has emerged to develop tools that elevate this technology to the point where it is becoming the preferred method for building and deploying modern software into cloud environments.
Factors driving increased adoption of containers include tools to increase developer productivity and agility, and the enablement of modern, anti-fragile microservices application architectures. Furthermore, the functionality delivered by platform-as-a-service (PaaS) stacks provides not only the correct level of abstraction to enable agile operations but also are beginning to offer companies the opportunity to deploy across multi-cloud venues (both public and private infrastructure-as-a-service environments) without having to deal with the complexity of technical inconsistencies in each location.
A significant threat to the business models of public cloud providers is that these software solutions allow a company to retain control of their dependencies and services while choosing the most cost effective cloud venue to instantiate their software. It may be that container technology is going to spawn the independent multi-cloud control plane of the future.
This new form of computing, alongside recent learnings around threats and DevOps style operational models, also provide us with the opportunity to factor appropriate security controls and build them into the infrastructure stack across the multi-cloud – regardless of location or cloud service provider delivering the CPU cycles.
Until now, that security focus seems to have been somewhat confused. For a period of time, the market concentrated mostly upon image security. While signing and scanning of software to ensure authenticity and identify vulnerabilities is a valuable capability, it is no silver bullet against many other threats. It is rare for cyberattacks against applications to be based upon manipulation or exploitation of the target software (as opposed to more common attacks using stolen credentials or exploitation of existing vulnerabilities). While the threat model changes somewhat with container image repositories, it is clear that concentrating upon image integrity provides very limited protection against common attacks. Fortunately, we are now seeing this technology becoming commoditized into PaaS stacks, such as Docker repositories, with the focus shifting to runtime security.
Runtime security controls allow you to prevent successful attacks on the executing instances of software in your environment. Basic identity, access management, system and network-level segmentation capabilities are being supported in OSS implementations while cutting-edge innovation and advanced security is being addressed by advanced commercial solutions. The standard DevOps tool-chains can be used to furnish the metadata, informing security systems of runtime requirements in real time, and old-fashioned security systems (such as the ancient firewall) are replaced by dynamic security systems that can participate in these ecosystems.
Users are also provided with choice, for example, when it comes to segmentation. Technologies such as Openshift, Mesos and Docker Swarm can provide basic project separation (commoditized capabilities that are a massive improvement on the basic network capabilities in legacy networks). In addition to these base functions, more advanced security controls can be deployed as part of the framework to meet more stringent risk or regulatory control requirements without compromise to agility and speed.
From humble beginnings, container technology is leading us to a world where IT can be unshackled from local environmental and infrastructure-level dependencies and security can be built in.
And that means it’s time to reconsider your security requirements unconstrained by the offerings of your cloud provider or concerns around the business impact of static technologies, such as firewalls and network hardware (that cannot be effectively automated or orchestrated) to meet the dynamic needs of the modern data center.
Marc Woolward is chief technology officer of vArmour.