Context: How Will Everybody Secure Microservices?
This week at DockerCon in Seattle, Docker Inc. CEO Ben Golub repeated a statement we’ve heard from him before: More enterprises are moving to Docker, he said, because of their concerns about security. By implication, Golub says that container security, with its rapidly increasing use of package encryption and digital signing, cannot possibly be worse than the state of security with which enterprises cope today.
It is not Docker Inc.’s responsibility, nor that of any one company, nor even any one development community, to secure the entire infrastructure of the data center or the cloud. It is everyone’s duty, however, to participate in the process. Still, the reason people resort to disruption or to revolution is because both are far easier to achieve than consensus. You think fighting off the British Redcoats was hard? Try writing a constitution.
Last February 29, the Cloud Security Alliance met in San Francisco to discuss the pressing needs of the cloud service provider community. The architectural peculiarities introduced by containerization were at the forefront of the agenda, although some participants were genuinely concerned about whether the move to containers had any direction to it at all.
I asked a CSA security panel that day how the move to containerization changes the security skills necessary for infosec professionals to secure the infrastructure, especially with respect to the use of monitoring tools.
“Containers are changing everything,” responded Veracode director of security technology Erik Peterson, “but most importantly, it’s a road on what ultimately will be serverless computing, because people are trying to get away from managing all the underlying infrastructure, and all this other stuff. If I can just package everything up, build out my microservices architecture with a bunch of containers and deploy it quickly, all my problems will go away.
“Except that people are building containers with no idea as to what they’re composed of,” Peterson continued. “They’re going, ‘I’ll just go and grab that from the internet and download it.’ They’re running completely untrusted software. So you have to know what is happening inside those containers. But it certainly is pretty impressive; I think the companies that are going to get the most leverage out of containerization, invest heavily in systems to manage infrastructure… because that’s going to allow people to manage that and not get buried in tracing containers down all day long. But it’s a real Wild West. Not a lot of people have figured out all the challenges there.”
In a way, the security products and services community appears to have it in mind to see what direction the containerization process eventually takes, before eventually joining up with the movement further down the road. That leaves it to Docker, at least in the meantime, to explain how Docker security will encompass the entire data center. In very few data centers around the world does containerization constitute the entire infrastructure. Last year, VMware used to warn customers that a move away from hypervisor-driven virtualization was the equivalent of a wagon train to Erik Peterson’s “Wild West.”
Our latest edition of The New Stack: Context dives nose-first into three sides of the container security pond simultaneously, to see which side cracks first. In this podcast, you’ll hear more from our visit to the Cloud Security Alliance summit at the last RSA Conference, where we’ll talk to the cloud service provider community and the security services community. And we’ll compare their vantage points to that of Docker, which so far has had to go it alone with respect to forging a new model for infrastructure security.
Show 2: Microservices and the Unsustainable Security Model
Docker is a sponsor of The New Stack.