Recently, vArmour was awarded a patent for segmenting containers, allowing for container-based security -- applying security policies based on the type of data. This patent eliminates many precautions of using public clouds. It especially helps companies in regulated industries, for example, separate and apply different policies for regulated data vs. unregulated.
To find out more, I spoke with vArmour's CTO Marc Woolward about the incredibly fast DevOps process that is segmentation, and how it will lead companies to be more secure in the cloud.
VMblog: What are the
driving forces behind container innovation and adoption?
Marc Woolward: Containers really began as methods to virtualize
UNIX operating systems to provide process separation with high levels of
efficiency. Since then, a movement has emerged to develop tools that elevate
this technology to the point where it is becoming the preferred method for
building and deploying modern software into cloud environments. Major factors
driving increased adoption of containers include tools to increase developer productivity and agility, and the enablement
of modern, anti-fragile microservices application architectures.
Furthermore, the functionality delivered by platform-as-a-service (PaaS) stacks
provides not only the correct level of abstraction to enable agile operations
but also is beginning to offer companies the opportunity to deploy across
multi-cloud venues (both public and private infrastructure-as-a-service
environments) without having to deal with the complexity of technical
inconsistencies in each location.
With containers, each application (or even process)
running on a server gets its own, isolated environment to run. However, those
containers all share the host server's operating system. So you not only have
abstraction around the workload, you also have portability. Since a container
doesn't have to load up an operating system, it can be created almost
instantly. This speed of spinning up an instance crunches data center response
times when an application faces a sudden surge in activity and more resources
need to be provisioned immediately. As can be expected, there is a significant
benefit to data center economics with such a model - less spending on hardware,
data center building and renting, and hiring fewer people to manage all the
infrastructure. However, the primary driving force of container adoption is
"agility" - with the ability to spin up computing resources and retire them
VMblog: How does security play into container adoption?
Woolward: This new form of
computing, along with recent learnings around threats and DevOps style
operational models, provide us with the opportunity to factor appropriate
security controls and build them into the infrastructure stack across the
multi-cloud - regardless of location or cloud service provider delivering the
compute capabilities. Security continues to be a high priority on vendor
roadmaps with the security rationale for containers being very high.
Containers, by their very nature, are isolated instances that can only access
limited system resources, which make them great for controlled and secure use
cases. At vArmour, we
have been innovating with patents in multiple software security approaches,
including in containers. We recently got awarded a patent for security policy
generation using container metadata information. This policy computation method
will provide models of expected behavior for the application along with
definitions relating to
allowed relationships and dependencies. In short, this method allows you to
build business oriented zero-trust policies, while accommodating the dynamic
nature of container and microservice architectures.
See the below figure from our recent patent innovation.
VMblog: What are the benefits of deploying a container-based security model?
Woolward: Historically, the market
seems to have concentrated mostly upon
image security. While signing and scanning of software to ensure
authenticity and identify vulnerabilities is a valuable capability, it is no
silver bullet against many other threats. It is rare for cyberattacks against
applications to be based upon manipulation or exploitation of the target
software (as opposed to more common attacks using stolen credentials or
exploitation of existing vulnerabilities). While the threat model changes
somewhat with container image repositories, it is clear that concentrating upon
image integrity provides very limited protection against common attacks. Fortunately, we are now seeing this
technology becoming commoditized into PaaS stacks, such as Docker repositories,
with the focus shifting to runtime
security. Runtime security controls
allow you to prevent successful attacks on the executing instances of software
in your environment. Basic identity, access management, system and
network-level segmentation capabilities are being supported in OSS
implementations while cutting-edge innovation and advanced security is being
addressed by advanced commercial solutions. The standard DevOps tool-chains can
be used to furnish the metadata, informing security systems of runtime
requirements in real time, and old-fashioned security systems (such as the
ancient firewall) are replaced by dynamic security systems that can participate
in these ecosystems. Users are also provided with choice when it comes to
segmentation. Technologies such as Openshift, Mesos and Docker Swarm can
provide basic project separation (commoditized capabilities that are a massive
improvement on the basic network capabilities in legacy networks). In addition
to these base functions, more advanced security controls can be deployed as
part of the framework to meet more stringent risk or regulatory control
requirements without compromise to agility and speed.
VMblog: What kind of additional infrastructure investments (if any) would need to be
made in order for this model to work within an existing enterprise environment?
Woolward: None or minimal
according to your needs. Container technology is leading us to a world where IT
can be unshackled from local environmental and infrastructure-level
dependencies, and security can be built in. Adopting
container technology is simple and unconstrained by the offerings of your cloud
provider or concerns around static technologies like firewalls and network
hardware that cannot be effectively automated or orchestrated to meet the
dynamic needs of the modern infrastructure. Just as virtualization abstracts
the hardware, containers abstract the operating system, so the image types and
applications within a container can be ported across the network to a similar
infrastructure - with a movement afoot to define container portability across
hybrid infrastructure environments.
VMblog: Are there particular industry segments that benefit from a
container-based security model? And are container-based security models the way
Woolward: Container-based security models, with their data residency
and data provenance features, are ideal for agile DevOps and highly regulated
environments like financial services, Healthcare, Critical Infrastructure, and
Retail that are required to closely control their systems and report on those
controls for compliance and regulation requirements.
Containers are a transformative technology that promise a
world decoupled from traditional hardware and systems software constraints.
They now shift the focus to applications and infrastructure that will
incorporate increasingly sophisticated security technologies as the
infrastructure gets further distributed.
increasing levels of computing density and security will continue to deliver
Once again, a special thank you to Marc Woolward, CTO of vArmour, for taking time out to speak with VMblog and answer a few questions.