‘Software containers’ are improving security of cloud computing
Baking in security early in the development process reduces risk, fosters collaborative culture
By Rani Osnat, Special to ThirdCertainty
Container technology enables organizations to build, deliver and run enterprise applications faster and more easily, efficiently and cost effectively than ever before. Compared to virtual machines (VMs), containers are much smaller, start up much faster, and have better performance.
The building blocks of container technology have been in existence for decades, but had technical limitations that stymied their use. In 2013, the Docker open-source project found a way to address those limitations, making containers much easier to use.
Fast forward to 2017, and software containers are becoming the platform of choice to build cloud architecture due to their significant benefits: speed of development, speed of deployment, flexibility, scalability and the cost-effective use of computer resources. However, they also introduce new risks. They run on a shared kernel (meaning they share an operating system and device drivers with their host—usually a VM), introduce challenges with isolating users and processes, add a layer that obscures visibility into activity on the host, and managing the sheer scale of container deployments is daunting.
While many development teams invest some effort in using security best practices, their main objective is delivering code. At the end of the day, it’s the security group’s job to identify and manage application security risk, but most security professionals have no idea what containers are, let alone the security implications of deploying them. In addition, the brief history of cybersecurity has shown that whenever new technology is introduced, exploits that abuse it are never far behind.
Despite those challenges, containers offer a rare window of opportunity to improve enterprise security in a game-changing way. Part of the reason is timing: Containers became enterprise-ready right as a confluence of factors—DevOps, Agile Development, the maturity of cloud-based architectures and growing interest in using microservices to build complex applications—are redefining how companies approach application development. These trends are introducing unprecedented collaboration, automation and agility into application development, and containers enable them all to manifest in a very noticeable way.
Business leaders, IT catching on
Many security professionals see containers as an opportunity to “bake” security into the application delivery process instead of “bolting it on” after the fact. Application security processes were built around the assumption that the application needed to be constructed first, and then hardened. While the limitations of that approach soon became evident to security teams, it took years of mega breaches and other cyber attacks dominating the headlines for business and other IT leaders to pay attention.
Sensing a huge opportunity, application security innovators and entrepreneurs started creating specialized container security tools. Meanwhile, the notion of adding security into the DevOps mix arose and is gaining legitimacy as an emerging discipline.
Security no longer a postscript
With a desire to partner and the needed technology tools at their disposal, Security and DevOps teams can work together to shift security from its current position at the end of the development life cycle to the beginning, and embed security controls throughout.
One of the most significant benefits is the opportunity to secure the application from within. Instead of applying security as an afterthought, when security shifts to the developer, it allows for much more granular testing to be carried out on each component
For now, we are still a few steps ahead of the security problem, but security teams have their work cut out for them. They need to familiarize themselves with container technology and consider container security issues in context of the enterprise applications they’re using it to build.
The bottom line is that container security needs to consist of secure processes and enforceable controls. If you use one but not the other, you’re not going to be able to handle containerized application security adequately. But when used together, DevOps and security teams can literally re-engineer the application delivery process in a way that not only substantially reduces human error and improves risk and compliance management, but also provides unprecedented influence over the organization’s application security posture.
More stories related to application creation, cloud computing and security:
It’s crucial to mesh security testing into early stages of DevOps projects
Done right, pairing of DevOps and cybersecurity coordinates strengths of both
To get ahead of threat curve, boost security during software development