Software containers’ are improving security of cloud computing

Baking in security early in the development process reduces risk, fosters collaborative culture

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Con­tain­er tech­nol­o­gy enables orga­ni­za­tions to build, deliv­er and run enter­prise appli­ca­tions faster and more eas­i­ly, effi­cient­ly and cost effec­tive­ly than ever before. Com­pared to vir­tu­al machines (VMs), con­tain­ers are much small­er, start up much faster, and have bet­ter performance.

The build­ing blocks of con­tain­er tech­nol­o­gy have been in exis­tence for decades, but had tech­ni­cal lim­i­ta­tions that stymied their use. In 2013, the Dock­er open-source project found a way to address those lim­i­ta­tions, mak­ing con­tain­ers much eas­i­er to use.

Relat­ed arti­cle: Why com­pa­nies need fresh secu­ri­ty solu­tions as mobile device usage ramps up

Fast for­ward to 2017, and soft­ware con­tain­ers are becom­ing the plat­form of choice to build cloud archi­tec­ture due to their sig­nif­i­cant ben­e­fits: speed of devel­op­ment, speed of deploy­ment, flex­i­bil­i­ty, scal­a­bil­i­ty and the cost-effec­tive use of com­put­er resources. How­ev­er, they also intro­duce new risks. They run on a shared ker­nel (mean­ing they share an oper­at­ing sys­tem and device dri­vers with their host—usually a VM), intro­duce chal­lenges with iso­lat­ing users and process­es, add a lay­er that obscures vis­i­bil­i­ty into activ­i­ty on the host, and man­ag­ing the sheer scale of con­tain­er deploy­ments is daunting.

Stum­bling blocks

While many devel­op­ment teams invest some effort in using secu­ri­ty best prac­tices, their main objec­tive is deliv­er­ing code. At the end of the day, it’s the secu­ri­ty group’s job to iden­ti­fy and man­age appli­ca­tion secu­ri­ty risk, but most secu­ri­ty pro­fes­sion­als have no idea what con­tain­ers are, let alone the secu­ri­ty impli­ca­tions of deploy­ing them. In addi­tion, the brief his­to­ry of cyber­se­cu­ri­ty has shown that when­ev­er new tech­nol­o­gy is intro­duced, exploits that abuse it are nev­er far behind.

Despite those chal­lenges, con­tain­ers offer a rare win­dow of oppor­tu­ni­ty to improve enter­prise secu­ri­ty in a game-chang­ing way. Part of the rea­son is tim­ing: Con­tain­ers became enter­prise-ready right as a con­flu­ence of factors—DevOps, Agile Devel­op­ment, the matu­ri­ty of cloud-based archi­tec­tures and grow­ing inter­est in using microser­vices to build com­plex applications—are redefin­ing how com­pa­nies approach appli­ca­tion devel­op­ment. These trends are intro­duc­ing unprece­dent­ed col­lab­o­ra­tion, automa­tion and agili­ty into appli­ca­tion devel­op­ment, and con­tain­ers enable them all to man­i­fest in a very notice­able way.

Busi­ness lead­ers, IT catch­ing on

Many secu­ri­ty pro­fes­sion­als see con­tain­ers as an oppor­tu­ni­ty to “bake” secu­ri­ty into the appli­ca­tion deliv­ery process instead of “bolt­ing it on” after the fact. Appli­ca­tion secu­ri­ty process­es were built around the assump­tion that the appli­ca­tion need­ed to be con­struct­ed first, and then hard­ened. While the lim­i­ta­tions of that approach soon became evi­dent to secu­ri­ty teams, it took years of mega breach­es and oth­er cyber attacks dom­i­nat­ing the head­lines for busi­ness and oth­er IT lead­ers to pay attention.

Sens­ing a huge oppor­tu­ni­ty, appli­ca­tion secu­ri­ty inno­va­tors and entre­pre­neurs start­ed cre­at­ing spe­cial­ized con­tain­er secu­ri­ty tools. Mean­while, the notion of adding secu­ri­ty into the DevOps mix arose and is gain­ing legit­i­ma­cy as an emerg­ing discipline.

Secu­ri­ty no longer a postscript

With a desire to part­ner and the need­ed tech­nol­o­gy tools at their dis­pos­al, Secu­ri­ty and DevOps teams can work togeth­er to shift secu­ri­ty from its cur­rent posi­tion at the end of the devel­op­ment life cycle to the begin­ning, and embed secu­ri­ty con­trols throughout.

One of the most sig­nif­i­cant ben­e­fits is the oppor­tu­ni­ty to secure the appli­ca­tion from with­in. Instead of apply­ing secu­ri­ty as an after­thought, when secu­ri­ty shifts to the devel­op­er, it allows for much more gran­u­lar test­ing to be car­ried out on each component

For now, we are still a few steps ahead of the secu­ri­ty prob­lem, but secu­ri­ty teams have their work cut out for them. They need to famil­iar­ize them­selves with con­tain­er tech­nol­o­gy and con­sid­er con­tain­er secu­ri­ty issues in con­text of the enter­prise appli­ca­tions they’re using it to build.

The bot­tom line is that con­tain­er secu­ri­ty needs to con­sist of secure process­es and enforce­able con­trols. If you use one but not the oth­er, you’re not going to be able to han­dle con­tainer­ized appli­ca­tion secu­ri­ty ade­quate­ly. But when used togeth­er, DevOps and secu­ri­ty teams can lit­er­al­ly re-engi­neer the appli­ca­tion deliv­ery process in a way that not only sub­stan­tial­ly reduces human error and improves risk and com­pli­ance man­age­ment, but also pro­vides unprece­dent­ed influ­ence over the organization’s appli­ca­tion secu­ri­ty posture.

More sto­ries relat­ed to appli­ca­tion cre­ation, cloud com­put­ing and security:
It’s cru­cial to mesh secu­ri­ty test­ing into ear­ly stages of DevOps projects
Done right, pair­ing of DevOps and cyber­se­cu­ri­ty coor­di­nates strengths of both
To get ahead of threat curve, boost secu­ri­ty dur­ing soft­ware development