Reemerging Container Security Ills Addressed
Concerns about the security of application containers have reemerged as the micro-services technology spreads across the enterprise. Those worries are fueled by recent reports of a “breakout” vulnerability in the container runtime known as runC.
In response, providers of container data services used by DevOps teams are again stressing security features such as isolation of individual containers as more companies embrace cloud-native tools like the Kubernetes cluster orchestrator.
Among them is Portworx, the cloud-native storage and data management specialist, that released the latest version of its enterprise platform this week. The upgrade includes security and disaster recovery features, including new “role-based” access controls that would enable DevOps teams to limit access on a “per container data volume basis,” Portworx said.
These and other authorization and authentication tools are designed to isolate individual containers since those running on a host share the same underlying kernel. Security specialists said that configuration means any malicious code in an individual container can “break out” to compromise applications running on the host platform and potentially across a cluster.
Portworx asserts these security issues are heightened with the enterprise embrace of Kubernetes, the de facto standard container orchestrator. “Adoption of container technologies is rapidly increasing in the enterprise, with nearly half of businesses already running apps on Kubernetes in production,” said Murli Thirumale, co-founder and CEO of Portworx.
“But Kubernetes alone is not able to meet the complex requirements that today’s businesses face,” Thirumale added. Hence, the company argues that Kubernetes must be “augmented to meet the requirements of mission critical enterprise applications,” including data security, backup as well as compliance.
The Portworx security feature accounts for the fact that Kubernetes still does not allow users to authorize or authenticate data access using traditional methods like Active Directory or other directory access protocols. That leaves open the possibility of unauthorized data access by a Kubernetes user.
Portworx’s security solution involves what it calls “container-granular, role-based authentication” and authorization along with data encryption. The approach would allow users to set access controls on a “per container data volume” basis.
The upgraded platform also incorporates “Kubernetes-native” disaster recovery that adds two new levels of data protection while backing up data storage at separate locations. They include Amazon Web Services (NASDAQ: AMZN), Google Cloud (NASDAQ: GOOGL) and Microsoft Azure (NASDAQ: MSFT) regions, the company said.
Portworx, Palo Alto, Calif., also announced an “oversubscribed” $27 million mid-stage funding round this week led by Sapphire Ventures and Mubadala Investment.
Also participating in Portworx’s Series C funding round were existing investor GE Ventures along with new funders Cisco Investments, the venture arm of Hewlett Packard Enterprise and NetApp. Portworx has so far raised $55.5 million in venture funding, most of it used to develop its flagship enterprise platform.