This vendor-written tech primer has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
In enterprise IT, disruptive technologies become commercially viable faster than you can say “Moore’s Law.” However, if corporate culture and processes don’t evolve in conjunction with the pace of technology, it can inhibit the benefits of even the most awesome of enterprise apps. One area of IT where corporate culture has stymied progress is cyber security, but the rise of software containers — arguably one of the most disruptive enterprise technologies on the horizon - provides an opportunity to get application security right, or at least make it a whole lot better.
Software containers such as Docker and CoreOS RKT are rapidly being adopted in application development, DevOps, and web application environments due to the significant benefits they offer: speed of deployment, flexibility, scalability and the cost-effective utilization of compute resources.
However, they also introduce new security challenges – they run on a shared kernel, there are challenges with isolating users and processes, they add a layer that obscures visibility into activity on the host, and managing the sheer scale of container deployments is daunting.
Despite those challenges, there are several reasons why containers offer a rare window of opportunity to improve enterprise security in a meaningful way:
1) Make container security the rallying point around which DevOps and Security unite: DevOps is a movement meant to improve and align the relationship between Application Development and Operations teams through automation, communication and collaboration. As noted in the October 2015 Securosis report by Adrian Lane called Putting Security into DevOps, “DevOps represents a cultural change as well…The impact of having Operations, Development, and QA work shoulder-to-shoulder is hard to articulate…You may consider this a 'fuzzy' benefit... until you see it firsthand, and realize how many problems are alleviated by clear communication and shared purpose.”
Corporate security teams are immersed in the same kind of corporate cultural dysfunction as Dev and Ops teams, and could greatly benefit from DevOps-like cultural re-alignment. Adding security into DevOps, or “DevSecOps,” is by no means a novel idea. The concept of baking security into enterprise IT exists and is gaining ground.
What makes DevOps a critical factor in getting container security right is that, aside from the fact that DevOps is driving container adoption, DevOps has seeded a cultural shift required for improving corporate cyber security. DevOps may not have started out with security in mind, but security teams can leverage DevOps to reset their relationship with development and operations teams, and then recreate that dynamic with other IT groups. If we choose to make container security the rallying point around which DevOps and Security unite, it creates the opportunity to automate key security processes, providing a successful case study for subsequent cultural change.
Sign up for CIO Asia eNewsletters.