Securing the Cloud

Containers and Microservices
multi-cloud, stateless application architecture
The Gap in Container Security

Containers are becoming the preferred method for building and deploying modern software into cloud environments. With containers, each application (or process) running on a server gets its own, isolated environment to run that shares the host server's operating system. Since a container doesn't have to load up an operating system, it can be created almost instantly. This speed of spinning up an instance compresses data center response times when an application faces a sudden surge in activity and more resources need to be provisioned immediately. This level of agility is the primary driving force of container adoption.

Security is a key consideration in this agile container infrastructure, especially in the runtime environment when security options are limited. When moving from virtualized to container deployments, the density and dynamic nature of the environment increases by an order of magnitude. Containers break applications into base components or microservices so instead of 5 or 6 workloads, the same organization would have 10s to 100s of workloads to manage. Because containers can be instantiated in a matter of seconds, it would make it virtually impossible for traditional firewall-based policy controls to keep up with the changes required to secure them.

Also, the APIs and control plane in automated and virtualized systems introduce a tremendous amount of complexity and functionality in delivering the actual compute service, exposing application internals thereby revealing a new attack surface. The control plane attack surface becomes something that requires attention, hardening and monitoring.

The vArmour Solution

vArmour DSS provides a simple, agentless approach to runtime container and microservices security. Runtime security controls allow you to prevent successful attacks on the executing instances of software in the environment. vArmour’s unique architecture wraps every asset in the environment with its own stateful, application-aware trust boundary, allowing the isolation of one workload from another.

These advanced controls are very different than basic L4 firewall separation capabilities found in open source projects that provide limited visibility and control for east-west communications between containers and microservices. Likewise, vArmour’s approach is very different than an agent-based one. Agents are processes just like workloads are processes which make it difficult to deploy and are not agnostic or independent of the individual container itself.

Figure: Container instantiation workflow with vArmour protection next to each asset
Security automation delivers DevOps agility

By first extracting application context and metadata from the underlying container control plane or scheduler (such as Kubernetes and Mesos), vArmour DSS can understand the workload’s intent and its criticality of the task in order to build dynamic, declarative policy controls that can be deployed as containers are instantiated. For example, vArmour can leverage labels on whether the workload or pod is for development, test, or production and potentially limit what the pod can do. Such as, all development pods can communicate with each other; however, development pods cannot communicate with production pods.

Single integrated platform across multi-cloud infrastructure

A tremendous benefit of vArmour’s approach is that it can be deployed with the same set of security and policy controls across entire multi-cloud infrastructure whether virtual, cloud, legacy bare metal, and container and PaaS environments. With vArmour DSS, the entire multi-cloud can be protected using a single integrated platform - without adding agents or trying to force-fit legacy controls like appliance-based firewalls into this increasingly dynamic distributed environment. With vArmour DSS, the entire model is simple, secure and automated from end to end, and delivers a truly integrated and effective security stack for application porting across the multi-cloud.

  • Deep visibility into communications across individual pods or containers in a highly dynamic microservice-based infrastructure
  • Automate security into application lifecycle with programmable, stateful policy controls being built-in to DevOps workflows for containers
  • Consistent set of dynamic, fine-grained policy controls across a virtual, cloud, legacy bare metal, and container environments