Security Must be a Top Priority with Container Deployments

12 Jul 2016 7:48am, by

Developers are starting to embrace containers, whether they be Docker containers, Kubernetes pods, or Amazon EC2 instances. As a result, container security is one of the top concerns of enterprises considering whether or not containers are right for their stack.

Bryan Cantrill, Joyent CTO
Bryan Cantrill is the chief technical officer at Joyent, where he oversees worldwide development of the Triton Elastic Container Service, as well as SmartOS, SmartDataCenter and Node.js platforms. Prior to joining Joyent, Bryan served as a distinguished engineer at Sun Microsystems, where he spent over a decade working on system software. In particular, he co-designed and implemented DTrace, a facility for dynamic instrumentation of production systems. Bryan also cofounded the Fishworks group at Sun, where he designed and implemented the DTrace-based analytics facility for the Sun Storage 7000 series of appliances.

For chief technology officers and IT management teams, the focus is on ensuring these containers are both visible and secure when deployed on a production-ready system. Bringing the flexibility of containers into today’s enterprise has been a long-standing goal of cloud-focused organizational platforms such Joyent.

In this episode of The New Stack Analysts embedded below, we delve into a discussion surrounding the security of containers at scale, how hardware visualization impacts container security and the ways in which Joyent has contributed to the ongoing use of containers in production. The New Stack founder Alex Williams teamed up with co-host and e-book editor Benjamin Ball to speak with Joyent CTO Bryan Cantrill to hear his thoughts on these issues and more.

During a Twitter poll earlier in the year, Joyent discovered that for over 50 percent of the technology industry, its biggest hurdle to putting containers to work in production was security. Simply put: How could enterprises ensure that their containers were secure, while their developers and IT team members were able to connect them in such a way that services were still discoverable across their infrastructure.

For every concern regarding security, Cantrill noted there were and still are more pressing issues: “If you’re concerned about security, you probably don’t know about the disaster that is container networking for a bunch of these stacks. Security is one of the things you need to address first, though there are a bunch of different concerns. It’s tough, because (security) needs to be designed in constraint when you build a system. It is very hard to retrofit,” said Cantrill.

Joyent has taken a multi-tenant approach to container security. As such, two containers can work together in tandem as Internet-facing pieces of one’s stack, while not being able to impact other containers or the system negatively. All Joyent containers can be discovered across the network, meaning less overall frustration as opposed to sequestering containers on their private island of VMs.

“Sometimes, you’ll see containers partitioned off in a hardware virtualization layer which prevents the containers from interfering with one another. By doing that, you’ve created exactly the problem containers were designed to solve. If you have containers sitting on islands of VMs or are relying on hardware virtualization, it recreates all these problems,” Cantrill went on to explain.

In the rush to get code deployed, developers may find themselves having to go back into their code to tighten up its security or address safety concerns. To Cantrill, this is the wrong approach. “That can be the wrong time to have that thought process; you need to have that in the beginning,” he said. To combat this, Joyent has put into practice a container naming service which allows for containers to be discovered and provisioned while also running natively. Running containers natively with a container-native and secure infrastructure in place, Cantrill noted, is crucial to developers having the ability to branch off and solve other problems.

“It’s not just security, it’s all the things building a secure system allows you to do,” Cantrill said.

Docker and Joyent are sponsors of The New Stack.

Feature image via Pixabay.

This post is part of a larger story we're telling about the state of the container ecosystem

Get the Full Story in the Ebook

Get the Full Story in the Ebook

View / Add Comments

Please stay on topic and be respectful of others. Review our Terms of Use.