Where are you using WebAssembly?
Wasm promises to let developers build once and run anywhere. Are you using it yet?
At work, for production apps
At work, but not for production apps
I don’t use WebAssembly but expect to when the technology matures
I have no plans to use WebAssembly
No plans and I get mad whenever I see the buzzword
Cloud Native Ecosystem / Containers / Kubernetes / Security

Security Must be a Top Priority with Container Deployments

Jul 12th, 2016 7:48am by
Featued image for: Security Must be a Top Priority with Container Deployments

Developers are starting to embrace containers, whether they be Docker containers, Kubernetes pods, or Amazon EC2 instances. As a result, container security is one of the top concerns of enterprises considering whether or not containers are right for their stack.

Bryan Cantrill, Joyent CTO
Bryan Cantrill is the chief technical officer at Joyent, where he oversees worldwide development of the Triton Elastic Container Service, as well as SmartOS, SmartDataCenter and Node.js platforms. Prior to joining Joyent, Bryan served as a distinguished engineer at Sun Microsystems, where he spent over a decade working on system software. In particular, he co-designed and implemented DTrace, a facility for dynamic instrumentation of production systems. Bryan also cofounded the Fishworks group at Sun, where he designed and implemented the DTrace-based analytics facility for the Sun Storage 7000 series of appliances.

For chief technology officers and IT management teams, the focus is on ensuring these containers are both visible and secure when deployed on a production-ready system. Bringing the flexibility of containers into today’s enterprise has been a long-standing goal of cloud-focused organizational platforms such Joyent.

In this episode of The New Stack Analysts embedded below, we delve into a discussion surrounding the security of containers at scale, how hardware visualization impacts container security and the ways in which Joyent has contributed to the ongoing use of containers in production. The New Stack founder Alex Williams teamed up with co-host and e-book editor Benjamin Ball to speak with Joyent CTO Bryan Cantrill to hear his thoughts on these issues and more.

During a Twitter poll earlier in the year, Joyent discovered that for over 50 percent of the technology industry, its biggest hurdle to putting containers to work in production was security. Simply put: How could enterprises ensure that their containers were secure, while their developers and IT team members were able to connect them in such a way that services were still discoverable across their infrastructure.

For every concern regarding security, Cantrill noted there were and still are more pressing issues: “If you’re concerned about security, you probably don’t know about the disaster that is container networking for a bunch of these stacks. Security is one of the things you need to address first, though there are a bunch of different concerns. It’s tough, because (security) needs to be designed in constraint when you build a system. It is very hard to retrofit,” said Cantrill.

#97: Security Must be a Top Priority with Container Deployments

Joyent has taken a multi-tenant approach to container security. As such, two containers can work together in tandem as Internet-facing pieces of one’s stack, while not being able to impact other containers or the system negatively. All Joyent containers can be discovered across the network, meaning less overall frustration as opposed to sequestering containers on their private island of VMs.

“Sometimes, you’ll see containers partitioned off in a hardware virtualization layer which prevents the containers from interfering with one another. By doing that, you’ve created exactly the problem containers were designed to solve. If you have containers sitting on islands of VMs or are relying on hardware virtualization, it recreates all these problems,” Cantrill went on to explain.

In the rush to get code deployed, developers may find themselves having to go back into their code to tighten up its security or address safety concerns. To Cantrill, this is the wrong approach. “That can be the wrong time to have that thought process; you need to have that in the beginning,” he said. To combat this, Joyent has put into practice a container naming service which allows for containers to be discovered and provisioned while also running natively. Running containers natively with a container-native and secure infrastructure in place, Cantrill noted, is crucial to developers having the ability to branch off and solve other problems.

“It’s not just security, it’s all the things building a secure system allows you to do,” Cantrill said.

Docker and Joyent are sponsors of The New Stack.

Feature image via Pixabay.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: Docker, Simply.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.