Virtualization Technology News and Information
VMblog's Expert Interviews: vArmour Talks Container Innovation, Adoption and Security


Recently, vArmour was awarded a patent for segmenting containers, allowing for container-based security -- applying security policies based on the type of data.  This patent eliminates many precautions of using public clouds.  It especially helps companies in regulated industries, for example, separate and apply different policies for regulated data vs. unregulated.

To find out more, I spoke with vArmour's CTO Marc Woolward about the incredibly fast DevOps process that is segmentation, and how it will lead companies to be more secure in the cloud.

VMblog:  What are the driving forces behind container innovation and adoption?  

Marc Woolward:  Containers really began as methods to virtualize UNIX operating systems to provide process separation with high levels of efficiency. Since then, a movement has emerged to develop tools that elevate this technology to the point where it is becoming the preferred method for building and deploying modern software into cloud environments. Major factors driving increased adoption of containers include tools to increase developer productivity and agility, and the enablement of modern, anti-fragile microservices application architectures. Furthermore, the functionality delivered by platform-as-a-service (PaaS) stacks provides not only the correct level of abstraction to enable agile operations but also is beginning to offer companies the opportunity to deploy across multi-cloud venues (both public and private infrastructure-as-a-service environments) without having to deal with the complexity of technical inconsistencies in each location.

With containers, each application (or even process) running on a server gets its own, isolated environment to run. However, those containers all share the host server's operating system. So you not only have abstraction around the workload, you also have portability. Since a container doesn't have to load up an operating system, it can be created almost instantly. This speed of spinning up an instance crunches data center response times when an application faces a sudden surge in activity and more resources need to be provisioned immediately. As can be expected, there is a significant benefit to data center economics with such a model - less spending on hardware, data center building and renting, and hiring fewer people to manage all the infrastructure. However, the primary driving force of container adoption is "agility" - with the ability to spin up computing resources and retire them almost instantly.

VMblog:  How does security play into container adoption?  

Woolward:  This new form of computing, along with recent learnings around threats and DevOps style operational models, provide us with the opportunity to factor appropriate security controls and build them into the infrastructure stack across the multi-cloud - regardless of location or cloud service provider delivering the compute capabilities. Security continues to be a high priority on vendor roadmaps with the security rationale for containers being very high. Containers, by their very nature, are isolated instances that can only access limited system resources, which make them great for controlled and secure use cases. At vArmour, we have been innovating with patents in multiple software security approaches, including in containers. We recently got awarded a patent for security policy generation using container metadata information. This policy computation method will provide models of expected behavior for the application along with definitions relating to allowed relationships and dependencies. In short, this method allows you to build business oriented zero-trust policies, while accommodating the dynamic nature of container and microservice architectures.

See the below figure from our recent patent innovation. 


VMblog:  What are the benefits of deploying a container-based security model?

Woolward:  Historically, the market seems to have concentrated mostly upon image security. While signing and scanning of software to ensure authenticity and identify vulnerabilities is a valuable capability, it is no silver bullet against many other threats. It is rare for cyberattacks against applications to be based upon manipulation or exploitation of the target software (as opposed to more common attacks using stolen credentials or exploitation of existing vulnerabilities). While the threat model changes somewhat with container image repositories, it is clear that concentrating upon image integrity provides very limited protection against common attacks.  Fortunately, we are now seeing this technology becoming commoditized into PaaS stacks, such as Docker repositories, with the focus shifting to runtime security. Runtime security controls allow you to prevent successful attacks on the executing instances of software in your environment. Basic identity, access management, system and network-level segmentation capabilities are being supported in OSS implementations while cutting-edge innovation and advanced security is being addressed by advanced commercial solutions. The standard DevOps tool-chains can be used to furnish the metadata, informing security systems of runtime requirements in real time, and old-fashioned security systems (such as the ancient firewall) are replaced by dynamic security systems that can participate in these ecosystems. Users are also provided with choice when it comes to segmentation. Technologies such as Openshift, Mesos and Docker Swarm can provide basic project separation (commoditized capabilities that are a massive improvement on the basic network capabilities in legacy networks). In addition to these base functions, more advanced security controls can be deployed as part of the framework to meet more stringent risk or regulatory control requirements without compromise to agility and speed.

VMblog:  What kind of additional infrastructure investments (if any) would need to be made in order for this model to work within an existing enterprise environment?

Woolward:  None or minimal according to your needs. Container technology is leading us to a world where IT can be unshackled from local environmental and infrastructure-level dependencies, and security can be built in. Adopting container technology is simple and unconstrained by the offerings of your cloud provider or concerns around static technologies like firewalls and network hardware that cannot be effectively automated or orchestrated to meet the dynamic needs of the modern infrastructure. Just as virtualization abstracts the hardware, containers abstract the operating system, so the image types and applications within a container can be ported across the network to a similar infrastructure - with a movement afoot to define container portability across hybrid infrastructure environments.

VMblog:  Are there particular industry segments that benefit from a container-based security model?  And are container-based security models the way forward?

Woolward:  Container-based security models, with their data residency and data provenance features, are ideal for agile DevOps and highly regulated environments like financial services, Healthcare, Critical Infrastructure, and Retail that are required to closely control their systems and report on those controls for compliance and regulation requirements.

Containers are a transformative technology that promise a world decoupled from traditional hardware and systems software constraints. They now shift the focus to applications and infrastructure that will incorporate increasingly sophisticated security technologies as the infrastructure gets further distributed.  With containers, increasing levels of computing density and security will continue to deliver ever-increasing agility.


Once again, a special thank you to Marc Woolward, CTO of vArmour, for taking time out to speak with VMblog and answer a few questions.

Published Tuesday, February 07, 2017 8:01 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<February 2017>