Developers are starting to embrace containers, whether they be Docker containers, Kubernetes pods, or Amazon EC2 instances. As a result, container security is one of the top concerns of enterprises considering whether or not containers are right for their stack.
For chief technology officers and IT management teams, the focus is on ensuring these containers are both visible and secure when deployed on a production-ready system. Bringing the flexibility of containers into today’s enterprise has been a long-standing goal of cloud-focused organizational platforms such Joyent.
In this episode of The New Stack Analysts embedded below, we delve into a discussion surrounding the security of containers at scale, how hardware visualization impacts container security and the ways in which Joyent has contributed to the ongoing use of containers in production. The New Stack founder Alex Williams teamed up with co-host and e-book editor Benjamin Ball to speak with Joyent CTO Bryan Cantrill to hear his thoughts on these issues and more.
During a Twitter poll earlier in the year, Joyent discovered that for over 50 percent of the technology industry, its biggest hurdle to putting containers to work in production was security. Simply put: How could enterprises ensure that their containers were secure, while their developers and IT team members were able to connect them in such a way that services were still discoverable across their infrastructure.
For every concern regarding security, Cantrill noted there were and still are more pressing issues: “If you’re concerned about security, you probably don’t know about the disaster that is container networking for a bunch of these stacks. Security is one of the things you need to address first, though there are a bunch of different concerns. It’s tough, because (security) needs to be designed in constraint when you build a system. It is very hard to retrofit,” said Cantrill.
Joyent has taken a multi-tenant approach to container security. As such, two containers can work together in tandem as Internet-facing pieces of one’s stack, while not being able to impact other containers or the system negatively. All Joyent containers can be discovered across the network, meaning less overall frustration as opposed to sequestering containers on their private island of VMs.
“Sometimes, you’ll see containers partitioned off in a hardware virtualization layer which prevents the containers from interfering with one another. By doing that, you’ve created exactly the problem containers were designed to solve. If you have containers sitting on islands of VMs or are relying on hardware virtualization, it recreates all these problems,” Cantrill went on to explain.
In the rush to get code deployed, developers may find themselves having to go back into their code to tighten up its security or address safety concerns. To Cantrill, this is the wrong approach. “That can be the wrong time to have that thought process; you need to have that in the beginning,” he said. To combat this, Joyent has put into practice a container naming service which allows for containers to be discovered and provisioned while also running natively. Running containers natively with a container-native and secure infrastructure in place, Cantrill noted, is crucial to developers having the ability to branch off and solve other problems.
“It’s not just security, it’s all the things building a secure system allows you to do,” Cantrill said.
Feature image via Pixabay.