Container Security Should Be Top-of-Mind for DevOps Teams

April 11, 2018

Container Security Should Be Top-of-Mind for DevOps Teams

By Jean S. Bozman

Containers are being readily adopted for born-on-the-web workloads by hyperscalers, cloud providers and DevOps organizations. Now, as more enterprise applications and databases are migrating to containers, developers must be mindful of the continuing need for security.

Driven by digital transformation to modernize traditional IT infrastructure, container adoption is showing strong growth. The use of containers, which allow developers to encapsulate all of the components that sustain applications, is accelerating, driven by microservices deployed on the cloud.

But developers and DevOps personnel must make container security a high priority, in order to protect their enterprise applications. Security, long a top-of-mind priority for CIOs and IT organizations, must be protected, for corporate reasons – and for compliance reasons, according to new regulatory requirements in the U.S., EMEA (e.g., GDPR) and Asia/Pacific. GDPR is enforceable within the European Economic Union (EEU) as of May, 2018. In many surveys, security is often listed as one of the Top 3 priorities for IT managers.


Growth in Container Adoption

The progress being made in container technology is remarkable, especially now that Kubernetes, along with Mesos and Docker Swarm, are being widely used as the orchestration mechanisms for managing containers in distributed, scale-out computing. Revenue for container software is growing – reaching an estimated $3.5 billion by 2022 – with an additional $1.5 billion just for the orchestration and management software tools for containers.

Containers are being readily adopted for born-on-the-web workloads by hyperscalers, cloud providers and DevOps organizations. Now, as more enterprise applications and databases are migrating to containers, developers must be mindful of the continuing need for security.


Security Considerations for Containers

That’s why DevOps personnel must “think differently” about security for containers. Scaling out does not prevent security issues from occurring. In the born-on-the-web world, searches and web-centric workloads can be re-directed to other resources without up-ending production workloads. However, in the scale-out world, data protection and security look very different than they do in the traditional enterprise world. At times, customers feel overwhelmed by the data coming in from multiple monitoring tools, all delivering security data.

There is not one way to secure containers; rather, there are many. As discussed at the ContainerWorld conference there are multiple approaches to achieving security in the scale-out environment of containers.

Here are some of the key points regarding container security discussed at the conference:

  • Microservices. Delivering applications via microservices helps to reduce the “attack perimeter” for any given security threat. This approach – segmenting the overall workload into microservices – limits the overall impact, compared with monolithic applications running on bare-metal servers.
  • Reducing interference. In multi-tenant containers, preventing one application from interfering with others is a clear priority for DevOps. Even when containers hold just one application or database, isolation preserves and protects the container “content” from interference or corruption.
  • Secure image registries. Even if applications are well-protected by design, containers are continually “spun up” or “spun down” as business conditions change – and applications move to alternate computing and storage resources. As data is accessed across the network, the opportunity for security intrusions rises. Here, the use of secure image registries helps to ensure that known, good software is deployed via containers, reducing the incidence of faulty deployments.
  • Key management software. Key management software supports data encryption, and de-encryption, through the use of keys that allow applications to gain secure access to data.
  • Application modernization. Revisiting old code – and updating its functionality by rewriting it with new software tools – supports digital transformation and operational uptime.
  • Leveraging container-centric software. Customers who are re-building and re-launching applications should consider updating their DevOps software tools – and putting offerings such as Kubernetes, Docker Swarm and Mesos to work for managing the containers across corporate networks and clouds.


DevOps and Dev Culture: The Security Mindset

Mindfulness about security – placing security high on the list of application requirements, is especially important. This is, in part, a cultural issue within the DevOps and programming community. That’s because security software is most effective when built into the application first – rather than bolted onto the application later on.

One issue here is that native cloud workloads often come from continuous development (CD) and continuous integration (CI) DevOps processes. This means that developers must make security a high priority at all times, with each software commit. Fortunately, they can ensure this happens via policy and automation for each successive release.

Alternatively, their use of cloud services, such as AWS, Microsoft Azure, Google Cloud, IBM Cloud, Oracle Cloud and others allows DevOps to look to cloud providers to leverage built-in security functionality from those services. This addresses platform and infrastructure security lapses that might otherwise occur through one-off security implementations — but this approach does not directly address application security.


What’s Next: Shifting Left with Policy and Automation

As containers become more widely used in hybrid cloud and multi-cloud environments, information sharing between corporate business units and CSP service providers will become absolutely essential to limit the damage that security issues present to business organizations. Much of the prevention should “shift left” to the DevOps group, improving application quality and application security.

Here are a few touch-stones along the way to improving security best-practices in container-intensive environments: 

  • Updating security policies. Many organizations are re-thinking their security policies, adapting them for distributed, scale-out workloads. Holistic best practices, addressing both on-prem and off-prem containers, will likely produce the best, and safest, results.
  • Using unified consoles. Many are looking to combine “input” from multiple security software tools into unified consoles, to help administrators spot breaches more quickly, enabling faster remediation of security problems.
  • Leveraging automation. Automating management of a scale-out software environment is an important approach to giving admins more leverage in managing information regarding security issues in the enterprise data center, in the cloud. – or in hybrid clouds bridging both worlds.

Finally, despite its challenges, there is reason to believe that the security issues associated with a containerized world will be addressed more completely in coming years. Inside the enterprise, applications are migrating to private cloud, hybrid cloud and multi-cloud operations. IT organizations around the world are adjusting to this new reality of container-style computing, and realizing that it is their obligation to strengthen security policies. For their part, many CSPs have already stepped up to address security issues that arise in the cloud services they are providing to end-customers. That same approach must now be extended to smaller service providers and to MSPs, making security a top priority for all types of workloads – and all sizes of companies.







Jean Bozman , , , , , , ,
About Jean Bozman

Jean is a senior industry analyst focusing her research on server technology, storage technology, database software and the emerging market for Software Defined Infrastructure (SDI).