3 ways to improve security as you embrace containers
In enterprise IT, disruptive technologies become commercially viable faster than you can say “Moore’s Law.” However, if corporate culture and processes don’t evolve in conjunction with the pace of technology, it can inhibit the benefits of even the most awesome of enterprise apps. One area of IT where corporate culture has stymied progress is cyber security, but the rise of software containers — arguably one of the most disruptive enterprise technologies on the horizon - provides an opportunity to get application security right, or at least make it a whole lot better.
Software containers such as Docker and CoreOS RKT are rapidly being adopted in application development, DevOps, and web application environments due to the significant benefits they offer: speed of deployment, flexibility, scalability and the cost-effective utilization of compute resources.
However, they also introduce new security challenges – they run on a shared kernel, there are challenges with isolating users and processes, they add a layer that obscures visibility into activity on the host, and managing the sheer scale of container deployments is daunting.
Despite those challenges, there are several reasons why containers offer a rare window of opportunity to improve enterprise security in a meaningful way:
1) Make container security the rallying point around which DevOps and Security unite: DevOps is a movement meant to improve and align the relationship between Application Development and Operations teams through automation, communication and collaboration. As noted in the October 2015 Securosis report by Adrian Lane called Putting Security into DevOps, “DevOps represents a cultural change as well…The impact of having Operations, Development, and QA work shoulder-to-shoulder is hard to articulate…You may consider this a 'fuzzy' benefit... until you see it firsthand, and realize how many problems are alleviated by clear communication and shared purpose.”
Corporate security teams are immersed in the same kind of corporate cultural dysfunction as Dev and Ops teams, and could greatly benefit from DevOps-like cultural re-alignment. Adding security into DevOps, or “DevSecOps,” is by no means a novel idea. The concept of baking security into enterprise IT exists and is gaining ground.
What makes DevOps a critical factor in getting container security right is that, aside from the fact that DevOps is driving container adoption, DevOps has seeded a cultural shift required for improving corporate cyber security. DevOps may not have started out with security in mind, but security teams can leverage DevOps to reset their relationship with development and operations teams, and then recreate that dynamic with other IT groups. If we choose to make container security the rallying point around which DevOps and Security unite, it creates the opportunity to automate key security processes, providing a successful case study for subsequent cultural change.
2) Thanks to the endless parade of mega breaches, security is now a C-level concern: DevOps has not been the only cultural change agent in to impact corporate cyber security. If the tech world has learned anything from the endless parade of mega breaches, it’s that baking security into IT is not just a cool slogan - it makes good business sense. Compared to their predecessors, container platform providers are admirably security conscious (as they should be), but the market for containers is still in its early stages. With organizations such as Goldman Sachs and BNY Mellon publicly stating that they are “doubling down” on containers, security is no longer an afterthought. Which leads to the most critical factor in the equation …
3) Container security requirements are being identified and addressed prior to mainstream adoption: With security teams being part of the vetting process for container adoption, security considerations are being raised before containers become mainstream. However, most security professionals have no idea what containers even are, let alone what the security implications of deploying them are. In addition to their unique security issues, the brief history of cyber security has shown us that whenever a new technology is introduced, exploits that abuse it are never far behind.
As security-conscious as Docker and other container platform vendors are, they can’t control or foresee how their customers will utilize containers. In a few blinks of an eye, companies will be following Goldman Sachs and BNY Mellon’s lead. Any organization evaluating a container-based strategy needs to make sure security is brought in early.
For now, we are still a few steps ahead of the security problem, but security teams have their work cut out for them. They need to familiarize themselves with container technology, and consider container security issues in context of the enterprise applications they’re using containers to build.
It’s a tall order, but integrating container security into the equation early is what gives containers the potential to become the poster child for top-notch application security.
If organizations leverage this window to integrate security into the fabric of how container-based applications are built and managed, it provides a rare opportunity to get security right.
Let’s not screw it up!