All The Hype About Containers
Why all the hype about containers? Well, part of it is just something new (or scary depending on your job description). The rest is real. Containers are the evolution of the virtualization wave that sparked the emergence of public and private cloud. Virtualization’s goal has always been to better utilize hardware resources, allow workloads to be portable, simplify high availability, and allow scale to be user defined and easy to adjust. Removing the connection between hardware and the workload opened up wide array of possibilities.
So, it makes sense that further streamlining things by removing the workload’s dependency on the operating system should make complete sense, right? It turns out that for developers, this answer is true. If your job description or title revolves around security, the answer is not so clear. With the virtualization of hardware and the rise of virtual machines, security could still look at the best practices of the past. Networks still needed to be secured, and operating systems still needed to be hardened. These are things security has been dealing with for decades. In fact, you can consider virtual machines themselves as a type of container.
Why the hesitation now? Security best practices had typically been centered around protecting the OS and implementing controls within the OS to protect processes running on top of them. This is still very important for the non-container workloads that make up a large portion of the processing in public and private clouds, but containers break this mold. Containers present a level of abstraction and isolation from the OS that creates two problems for those of us in security. First is the fact it’s a box we can’t always see into. There’s a possibility that there’s processes running inside the container that I can’t control. Second is the fact that containers can seamlessly move between resources. This second factor creates situations where there’s a high degree of un-predictability. Where is it running? How many copies of it are running? Who is it supposed to be talking to? Security is often about reducing variables and controlling the ones that remain. The ephemeral nature of containers creates variables that challenge that notion of reducing variables and controlling the rest. Their very nature and main benefits seem to thrive on the exact opposite of what security would hope to design.
At McAfee, our job is to help secure the workloads and data that our customers rely on to power their business. This release of MVISION Cloud for Containers is about taking all the best practices around how these systems should be designed and giving customers a strong security foundation even in workloads as dynamic as containers. MVISION Cloud adds 78 policies around containers and Kubernetes best practices to our IaaS (Infrastructure as a Service) Configuration Audit capabilities so that security teams can monitor the implementation of containerized workloads and have confidence that they are starting from a strong security posture. MVISION Cloud continues the push into the DevOps process with Shift Left for containers that gives developers the direct security feedback in their native tools to help ensure that container applications are born secure.
For the security teams that feel uneasy at the mention of containers, we look to discover these workloads, provide controls consistent with those we provide for other IaaS services for consistent and reliable CSPM (Cloud Security Posture Management). We can evaluate and monitor all the other IaaS and PaaS (Platform as a Service) components utilized by these container applications in one location to give a holistic view of the security posture from container to data. Our cloud native integrated DLP engine can scan these PaaS storage resources to give critical information context to any security issues. McAfee’s user behavior Analytics and global threat intelligence network will continue to look for novel threats and add another powerful layer of security to the complete cloud ecosystem. MVISION Cloud with container support will help to ensure that applications are born secure and stay secure so you can have confidence in the cloud!
About the Author
Categories: Cloud Security