Secure Multi-Cloud Application Portability with Containers

Secure Multi-Cloud Application Portability with Containers

The IT discussion of today is not even a traditional IT discussion anymore. Today, we don’t really talk much about machines or hardware - they are mere commodities or “resources” to advance us toward our technology goals. Instead, today we talk about applications and tools as business enablers: their development, management and security; cloud consumption economics; distributed platforms and integrated services. Today, the discussion is ultimately about simplicity, security, scalability, agility, and efficiency in this IT transformation. 

This wave of transformation is shining a beam on technologies like containers. Containers are economical, portable and convenient to develop with, and make a real impact to the bottom line in terms of resource management and utilization. A couple of decades ago, containers began as methods to virtualize UNIX operating systems to provide process separation with high levels of efficiency. Today, containers are becoming the preferred method for building and deploying modern software into cloud environments. With containers, each application (or process) running on a server gets its own, isolated environment to run, with containers sharing the host server's operating system. So while you have abstraction around the workload, you also have portability. Since a container doesn't have to load up an operating system, it can be created almost instantly. This speed of spinning up an instance crunches data center response times when an application faces a sudden surge in activity and more resources need to be provisioned immediately. As can be expected, there is a significant benefit to data center economics with such a model. However, the primary driving force of container adoption is really “agility” - with the ability to spin up computing resources and retire them almost instantly.

Security is a key consideration in this agile container infrastructure. Container-based models, with their inherent data residency and data provenance features, are ideal for agile DevOps and highly regulated environments (think Financial Services, Healthcare, Critical Infrastructure, Retail) that are required to closely control their systems and report on those controls for compliance and regulation requirements. Container deployments have many factors in common with virtualized and cloud environments, which have long been a challenge to legacy security appliance controls. When moving from virtualized to container deployments, the density and dynamic nature of the environment increases by an order of magnitude, so the problem becomes more extreme as containers are instantiated in a matter of seconds and security needs to keep up.  Also, the APIs and control plane in automated and virtualized systems introduce a tremendous amount of complexity and functionality in delivering the actual compute service, exposing a new attack surface. The control plane attack surface becomes something that requires attention, hardening and monitoring. Finally, there is no room to implement a plethora of security controls in the form of agents. You need to ensure that you have adequate security within the container infrastructure independent of the individual container itself.

Where does vArmour fit into container security?

vArmour makes container security simple and effective by joining the dots across IT operations - from development to infrastructure and security, using APIs and a common language.  vArmour is able to translate the requirements of the business and application functionality into both the infrastructure configuration and security controls.  vArmour has developed a method for consuming application context from container control planes and schedulers, such as Kubernetes and Mesos Marathon, and plugging them into flexible declarative policies. So you can pre-define application and business-centric policies of varying styles in ‘natural language’ and then dynamically plug in containers as they are instantiated.  

At vArmour, we have been innovating with patents in multiple software security approaches, including in containers. We recently got awarded a patent for security policy generation using container metadata information - this method allows you to build business oriented zero-trust policies, while accommodating the dynamic nature of container and microservice architectures. See a flow diagram below:

 

 

vArmour’s unique architecture allows us to wrap every asset in an environment with its own stateful, application aware trust boundary which means it is possible to be really flexible in how you define your security policies. A tremendous benefit of vArmour’s approach is that you can deploy the same set of security and policy controls across entire multi-cloud deployments (private cloud, legacy bare metal, virtualized environments, and public cloud) and we have extended those controls to container and PaaS environments. With vArmour, the entire multi-cloud can be protected using a single integrated system - without adding agents or trying to force-fit legacy controls like appliance-based firewalls into this increasingly dynamic distributed environment. It also means that you have *one* security solution for your containers as well as for the rest of your environment. With vArmour, the entire model is simple, secure and automated from end to end, and delivers a truly integrated and effective security stack for application porting across the multi-cloud.

Container technology is leading us to a world where IT can be unshackled from local environmental and infrastructure-level dependencies, and security can be built in. Just as virtualization abstracts the hardware to disrupt IT operations, containers abstract the operating system to allow application portability across the multi-cloud infrastructure environment. Many organizations, specifically in the service provider and financial services space, are looking forward to new opportunities to transform security - by building effective, seamless security into this new stack with vArmour.

Related Posts