Containerization and the Dawn of Bring Your Own Security


By Brian Maccaba, Waratek

Containerization is not a new concept. The core technology, basic Linux containers, has been available for over a decade. The approach actually dates back to LPAR in IBM mainframes over 30 years ago. Nevertheless, the dramatic growth of Docker makes it look like an overnight success.

The rapid adoption of containerization can be attributed to three primary benefits: software development lifecycle, standardization and resource optimization.

Containerization Benefits

Software development lifecycle. One of the biggest pain points in software development is application deployment and redeployment during the lifecycle of a system (i.e. development, testing, user acceptance, production rollout and of course maintenance). Troubleshooting problems caused by subtle differences in hardware platforms, software versions and configuration settings when applications are moved from server to server can lead to hours and even days of delays. Containerization eliminates these issues.  

Standardization. The standardization benefits provided by containerization extend beyond the data center and extend all the way to off-premise deployment on public or private clouds. The use of containers is revolutionizing IT in much the same way that container-based shipping changed freight transport in the 1960s. Using a standard container, any application can now be quickly and easily moved across any data center, private and public cloud.

Resource optimization. Standardized containers can deliver significant savings in infrastructure expenditures. For instance, one Linux system can efficiently run multiple containers at the same time. This dramatically reduces hardware and software footprints, thus increasing capacity utilization and reducing costs.

Containerization's Missing Link and BYOS

Until now, the vast majority of container usage has been for internal development projects. This despite the fact that the greatest promise of containerization is the ease of mobility and deployment across multiple infrastructures, and particularly to public clouds. The primary obstacle to placing containerized enterprise applications in the cloud continues to be security concerns.

A promising new concept, known as BYOS or "bring your own security" is now emerging. The approach enables the application owner to maintain control over security when they deploy an application to the cloud. The concept is akin to a bring your own bottle policy. A restaurant may have an excellent wine list or none at all, but if it allows patrons to bring their own wine, they are free to choose the option in which they have the greatest confidence and enjoyment.

In IT, BYOS can be compared to the BYOD or bring your own device movement. Initially viewed as a threat to traditional IT, BYOD won out when organizations realized they could no longer mandate a single machine standard. By allowing end users to choose their preferred device, many businesses have benefited from the productivity gains associated with always-on access to work-related communications and information.  

By deploying applications in secure containers, BYOS holds the promise of unlocking pent-up demand for moving enterprise infrastructures to the cloud, since organizations will be able to maintain their security controls and standards outside the data center.

How BYOS Works 

First, BYOS is additive to existing levels of security provided by the cloud operator. However, it goes much further by delivering what analyst firm Gartner calls runtime application self-protection or RASP. In BYOS, the container itself provides intelligent and adaptive security for the application at runtime. Application self-protection is particularly effective for defending against the leading security threats, including SQL injection, command injection/process forking and cross-site scripting.

It also can provide real-time intelligence, via alerts, for the application owner with respect to threats or suspicious activity. BYOS can go further, blocking activities that are deemed malicious. Even if the cloud suffers a fundamental security breach, BYOS can prevent any damage to the application within the secure container. 

Furthermore, by placing RASP in secure containers, BYOS enables organizations to enforce and remotely manage/modify security policies in the cloud in real-time without causing any downtime or requiring an application restart. This is particularly important when threat intelligence indicates a major new attack vector has been discovered, like the zero day vulnerabilities in Struts 2 and Heartbleed last year, and must be remediated.  

IT is steadily moving toward a "virtualized everything" model. For example, in addition to the cloud, traditional hardware components such as routers and firewalls are being replaced by software defined networking. BYOS, with its ability to ride on the coattails of containerization, is yet another example.

Brian Maccaba is CEO of Waratek. His former company, Cognotec, developed AutoDeal, a pioneering Web-based foreign exchange trading platform that was adopted by more than 60 banks worldwide. London Institutional Investor magazine named him among the top 30 individuals in Europe and Asia who are harnessing the Internet to transform the financial services industry.