The allure of modern software architectures based on containers and microservices are their potential to enable business transformation efforts, but like any new technology, security is a key barrier to widespread implementation. However, new tools and evolving software frameworks promise to tackle that key hurdle.
Shifting from current monolithic software to containerization is compelling because it enables agile development and runtime environments that aren’t tied to specific hardware or platforms. Because containers are lightweight runtime environments that are abstracted from operating systems, VMs and clouds, they pave the way for the use of modern data architectures and more efficient systems and operations management.
Likewise, since they encapsulate any number of microservices that are called upon only as needed, containers are also appealing because developers can easily swap out individual microservices without rebuilding an app or impacting the infrastructure.
And because containers don’t have dependencies with specific infrastructure or clouds, these architectures offer more operational flexibility. Consequently, containers provide the baseline for IT and development groups to become markedly more agile in their delivery of services, which is the cornerstone of business transformation initiatives.
The market for application containers this year is forecast to reach $1.5 billion this year and is expected to grow to $2.6 billion by 2020, according to 451 Research. While that represents a small percentage of cloud-enabling software, application containers are the fastest growing. Experts have found that especially remarkable, considering that the market first took shape five years ago when Docker open-sourced key components of its container runtime and gathered widespread industry support.
Coalescing Around Kubernetes
Now there’s a common baseline for container management and security with the industry coalescing around Kubernetes, the open-source orchestration system for automating the deployment of containerized software. Kubernetes was developed by Google and contributed to the open source community three years ago. It is now maintained by the Cloud Native Computing Foundation (CNCF), which has joined forces with the Open Container Initiative (OCI), resulting in the rapid broad support by the software industry.
While Google Kubernetes Engine (GKE) has been around for some time, Amazon Web Services’ Elastic Kubernetes Service (EKS) and Microsoft’s Azure Kubernetes Service (AKS) became generally available last month. That widens the playing field now that the two most widely used public clouds offer managed Kubernetes services.
It also enables various hybrid cloud management scenarios such as Red Hat’s OpenShift Container Platform, which is Kubernetes-based, and the Pivotal Kubernetes Service (PKS) that’s built on the open-source Kubo distribution. Other container orchestration platforms such as Mesosphere and Rancher, also support Kubernetes. There are numerous native tools including Dashboard, Kubefed and Minikube.
However, Docker’s own orchestration tool, Swarm, is built with a different architecture and does not lend itself to Kubernetes. By most accounts, Docker, which introduced Swarm several years ago, was blindsided by the rapid and widespread industry support for Kubernetes. The Docker Engine is still a key component of container environments and is included in the latest version of Windows Server, released in 2016. Last year, a Docker update enabled its container engine to run in Windows and Linux clusters. Docker also claims 1 million new developers have started using its Windows and Mac desktop GUI.
Despite the shift to Kubernetes, Swarm still has a place among those using Docker’s tools. “Docker does not position it as an either-or decision that has to be made between Swarm and Kubernetes,” said Gartner analyst Tony Iams. “Swarm is a great way to get started with container orchestration and then you graduate to Kubernetes.”
Although some shops may start off with Docker Swarm, the company has acknowledged that it needed to provide support for Kubernetes-based orchestration and security. The new Docker Enterprise Edition 2.0, previewed last fall and released in April, now supports both Swarm and Kubernetes orchestration.
Security Improvements to Docker EE
Among the security improvements Docker EE 2.0 now offers include GUI-based workflows to enable Role-based Access Control (RBAC), cluster and registry management and secure application zones that physically separate applications within a single cluster.
The new Docker EE also provides a CNCF-compliant Kubernetes stack including support for its native APIs and command line interfaces (CLIs). At last month’s DockerCon conference in San Francisco, the company demonstrated Federated Application Management for Docker EE with added security controls.
Pointing to the managed Kubernetes services from Amazon, Microsoft and Google, Docker officials said that rather than needing to define every security, access control and governance policy for each of the specific cloud providers and software distribution, customers can provision clusters with Docker EE. And with the new federated application management capability announced last month, customers can implement existing policies or those created within those environments.
“In an era where everything is going to have a digital representation, security has to be a basic digital right, it has to be part of the software we build, we have to know everything about the applications that we’re running,” Docker CEO Steve Singh said during his keynote address at DockerCon, where container security was a key focus. “We have to provide tools that govern how data that we create is used, and security is woven in every element of the Docker platform, everything from the engine, all the way through the entire software supply chain. That’s our promise to you and that’s what’s going to guide our innovations.”
Gartner’s Iams said Docker had little choice but to jump on the Kubernetes bandwagon. “Docker needed to show that they can also add value with Kubernetes because the Kubernetes space is getting to be strategically quite significant and you have a number of players,” he said.
Many of these players are startups or relatively new providers such as Aqua Security, Avoreta, JFrog, NeuVector, StackRox and Twistlock, which offer tools focused squarely on container security. Core security providers have also set their sights on securing containers including Cisco, with its new Contiv offering, and Tenable, which last month added container protection capabilities to its Tenable.io security scanning suite. The above-mentioned upstream container management providers also offer various security capabilities as well as cloud operations management tools offerings from AppFormix, Applatix, Apprenda, Cloud 66, DH2i, Kublr and Platform9. among others.
Garter’s Iams said while the cloud platforms address many of these security concerns, many of these tools provide various levels of integration and vulnerability scanning. “With all this new software that’s being installed, whether it’s there in the container runtime or within the orchestration system, all those have to be integrated with existing security such as whatever authentication mechanism you have in place like Active Directory,” he said.
Following the Money
Yet investors are betting big on container security. Among a number of Series B investments, Redpoint Ventures put $25 million into StackRox, Polaris Partners funded Twistlock with $17 million and Lightspeed Venture Partners pumped a $25 million round into Aqua.
Why are so many new providers focusing on container management security, rather than leaving it to the incumbents? The first step toward securing containers begins with the developer, who must build security into the CI/CD process, according to Liz Rice, an evangelist at Aqua, a 3-year-old startup that offers a platform for runtime controls for container-based environments. “That’s a complete mind change from how things are in a traditional deployment,” Rice said.
Also, containers are designed to run in heterogeneous environments and there are more of them – often thousands. Each microservice has its own dependencies, meaning traditional security approaches such as patching and applying vulnerability updates, aren’t practical with these new architectures, Rice explained. “If you have that model in your head when you think about dealing with these thousands of containers, it’s just impossible,” she said.
John Morello, Twistlock CTO, agreed. While a traditional three-tier application running in virtual machines might have a single VM for each tier, the exponentially larger quantity of microservices and containers that are often created and destroyed weekly or even daily, require a different approach, he noted. While this creates a more dynamic environment, that’s the intent with the move to CI/CD.
“These challenges mean that security needs to be more dynamic and automated than traditional models that assumed static, human-generated policies and rules,” Morello said. The upside of containers, he added, is that they are minimal, declarative and more predictable than traditional monolithic approaches.
Consequently, security platforms for these environments observe and model normal behaviors and automatically detect anomalies with minimal human involvement, according to Morello. “When combined with a modern CI/CD software delivery process, they enable organizations to embed security much earlier in the app life cycle, preventing vulnerable apps from being deployed in the first place and fixing problems in development, where they’re much cheaper and safer to resolve,” he said.
Cloud Provider Container Security
Many of the capabilities needed to secure containers are built right into many of the public clouds and offered by managed services providers. A case in point is IBM Cloud, which offers security scanning of container images and configuration scanning to look for poorly configured software as part of its managed Kubernetes service.
“We do enforcement-based policy and we do image signing and enforcement, said Jason McGee, a VP and CTO of IBM Cloud. “That’s all just built into the platform.” But many solutions address applications that may run across multiple clouds or offer specific capabilities such as runtime security or forensics. McGee said IBM has partnered with several of those providers including Aqua, Sysdig, LogDNA, NeuVector and Twistlock.
IBM and NeuVector announced their alliance back in March to offer as an option automated Kubernetes platform security with NeuVector’s multi-vector, container firewall capabilities. “There’s a tremendous ecosystem of solutions from startups and large companies like that to solve different parts of the container operational environment and developer experience,” McGee said. “Those tools work with IBM Cloud and they work with our Kubernetes services on premises.”
NeuVector, which is best known among its customers and partners for its container firewall tool, recently announced extended security capabilities with the 2.0 release of its namesake offering by extending its run-time security automation, container process monitoring and vulnerability scanning with incident response, enterprise access control, role-based management and registry scanning. “Before we were highly focused on the container firewall,” said NeuVector CEO FEI Huang. “With NeuVector 2.0, we are offering much broader coverage with the end-to-end container security.”
Many of these security players have aligned themselves with major cloud providers as well those who offer container management solutions and various CI/CD tools. For example, Cloud 66, which offers a Kubernetes-based container deployment pipeline tool called Skycap, has customers who use container security solutions from Aqua, JFrog and Twistlock. Udi Nachmany, VP of business development at Cloud 66, describes those solutions as complementary.
“If you use our pipeline and go into Kubernetes, you can just plug Aqua’s runtime security tool into your infrastructure,” Nachmany said. The company is also the sponsor of a new open-source project called Habitus, that helps developers address security and performance of Docker container images in the build stage.
For example, it’s common to have secrets embedded into the container image. That image can be sent to an unencrypted registry. “As a DevOps person or manager, you don’t always have control of all those moving parts, so Habitus takes the secret out, and puts it in a sidecar that runs in the build network, and then the secret is injected once the image is finished,” Nachmany said.
Another thing Habitus does is it minimizes the size of the image. “If you’re creating an app and you don’t need all of the build libraries in the runtime image, you can create a runtime image that’s 10 percent of the original one, which obviously means it’s much less vulnerable to attack,” he said.
Bridging the Old and New
Organizations deploying these cloud-native modern container-based environments often overlook APIs and identity, according to Jason Schmitt, CEO of Aporeto, among the newer of the startups. The recent release of Aporeto Enterprise 2 assigns contextual application identity for every component of an application or process. This provides security of microservices and cloud native applications with API access control, runtime threat and vulnerability management and identity management, according to the company. Schmitt says its solution protects both traditional and microservice application architectures.
“The best way to think about us is essentially a workload security platform that spans Linux workloads all the way to cloud native,” Schmitt said. “We’re very centered on container workloads and infrastructure and can work natively in a Kubernetes environment. But we also provide similar sort of uniform policy across a heterogeneous environment so container workloads across multiple cloud and multiple clusters.”
Meanwhile, more established providers of larger IT security portfolios are also adding container scanning to their offerings. For example, an update rolling out to Tenable.io Container Security, which already scanned containers in the build and test process for vulnerabilities, will be able scan those in production. It continues to scan new containers in its registry as they’re put into production. The new release also offers connectors to Microsoft Azure and Google’s GCP.
The Tenable.io Container Security update, announced last month, is set to roll out in stages by August with support for Kubernetes. The company added container security to Tenable.io with its late 2016 acquisition of FlawCheck, which started out with an offering that scanned Docker containers. Tony Bettini, the former CEO Of FlawCheck and now senior director of software engineering at Tenable, said bringing it into Nessus scans containers as part of the SDLC process and validates those containers in production are from the same source as the images.
“This way we can detect containers that have been modified in production because of say a compromised container or some other type of hack or compromise,” Bettini said. “It also allows us to do much faster scanning because we can do the scanning without adversely affecting production environments by doing the scanning on the SDLC side.”