Security concerns are among the reasons enterprises cite for holding off on deploying containers. To a certain extent, those fears are exacerbated by the way enterprise security guidelines and compliance measures are designed to work. Guided themselves by a 20th-century comprehension of computer systems, security control guidelines state that system owners and maintainers must thoroughly understand the nature of systems before adopting them.
For example, the U.S. National Institute of Standards & Technology for federally-owned systems, in document NIST 800-53 [PDF], suggests that the Chief Information Officer of an organization thoroughly assess the organization’s information systems. It’s up to the CIO, says NIST, to determine which “common security controls” from everyday practice can be adopted without change, and which others must be “system-specific.” When a technology isn’t commonplace, it’s a safe bet that system-specific controls not only need to be identified — they have to be created.
So part of the fear of system insecurity may actually be translated as the anticipation of a longer to-do list.
If a new application platform such as Docker is ever to be adopted by institutions that are still dependent upon VMs, first-generation application servers, or even mainframes, the question of how to identify its security controls needs to render the system-specific question moot. Put another way, its security controls need to be perceived as common — as essentially no different in concept from what’s already in place. It needs to be obvious to CIOs that their own best security practices will not need to be completely rethought.
Last month, long-time security services provider Vormetric began implementing what it calls Docker Transparent Encryption — the first stage in what Vormetric characterizes as a new effort to make containerization security mainstream. For well over a decade, Vormetric has offered an encryption agent that plugs into operating systems, that encrypts data at rest and decrypts them just-in-time, while producing security logs detailing how encrypted files are accessed, when, where, and by whom.
So Vormetric did not have to re-invent the wheel here for Docker containers. The trick, though, is for its encryption agent to work from the container host operating system, not from the OS running inside the container.
“Transparent Encryption is a software agent that runs on Windows, Linux, or Unix,” explained Charles Goldberg, Vormetric’s senior director of marketing, in an interview with The New Stack. “The agent talks to our Data Security Manager to get the access control policies and the encryption policies, and it reports back any kind of access that someone attempts.”
A typical large enterprise customer of Vormetric may already have tens of thousands of encryption agents working simultaneously worldwide, all of which are in contact with the Data Security Manager. This is typically an on-premise, rack-mount, 1U storage appliance, although Vormetric now offers a virtual equivalent. Enterprise customers already invest in Vormetric DSM as a means of securing whatever applications they happen to be running, and bring them into compliance with privacy guidelines such as NIST 800-53.
So Vormetric’s goal with Transparent Encryption is simply to extend what DSM already does to containerized environments, altering as little of their security controls as possible — preferably none at all.
Sealing the SUDO Hole
First and foremost, Vormetric TE would address the problem of unauthorized tampering with the files that constitute containers. Granted, Docker Trusted Registry also tackles this same issue, albeit from the registry’s perspective rather than the host’s. TE encrypts the containers themselves at rest while they’re in repositories such as Docker Hub. Of course, this may make sharing with the world at large a bit difficult; but conceivably, with a private registry, this could set up a level of access control that’s on a par with, say, VMware vCenter encrypted servers.
“We encrypt the images, then we control who’s allowed to access these images. And one of the unique capabilities of [TE] is that it’s process-aware,” Goldberg continued. This way, he said, if a person tries to execute a Linux su command to gain admin privileges, or a sudo command to run a process as though he had admin privileges, the policies kept on DSM would forbid the change, and the unauthorized attempt would be logged. And yes, the logs themselves are encrypted using TLS.
Next, TE addresses encryption for external data volumes through network shares. This is somewhat of a sore point with Vormetric, which perceives network share mounts as a critical security problem for all of container architecture. NFS mounts create the potential for a security situation where a non-privileged user can be authenticated as the same user as that of an existing container, and then access the same storage share as the container, Goldberg said.
“What we do, since we’re an agent in the file system, this is where we intercept the data,” said Goldberg. “So when you create an NFS mount to a NAS drive, we encrypt that data before it gets stored. What that means is, if anyone tries to take the data or view the data that the Docker applications are creating or using, it’s protected. You’re protected if someone infiltrates a NAS server, a SAN server, or the cloud, and tries to steal that data. Before it leaves the host operating system, we’re going to encrypt it, and you can only decrypt it when you come back through the host operating system to the authorized containers.”
Would this same authorization scheme work in a situation where containers are spread across storage systems, or perhaps across clouds? Not quite yet, Goldberg admitted, though he reminded us that Transparent Encryption is the first stage of what Vormetric promises to be an ongoing effort to move its existing encryption assets into the realm of containerization. A future stage, he admitted to us, will very likely involve SAML. Up to now, The New Stack has gotten away scot-free, as it were, with not having to explore SAML with the same depth as, say, YAML. Alas, 2016 looks like it will mark the end of that free ride.
Encrypt Virtually Everything
Vormetric’s product literature describes Transparent Encryption as giving organizations the power, if you will, to decide what, when, and where to encrypt. Arguably, the need for such power is questionable, especially by advocates of total encryption of everything that passes over a network.
Charles Goldberg gives credit to the basic goal of such a movement. But in practice within enterprises, he told us, the adoption of the first generation of virtualization, let alone containerization, has already rendered it difficult enough for businesses to keep track of all the different files and versions currently in use. Of course, we all know about Git, and developers know about JFrog’s Artifactory; but these systems don’t address the needs of the infosec professional who isn’t using developer tools to maintain files and versioning.
It’s pretty obvious how to encrypt data in motion, said Goldberg. Site-to-site traffic needs IPsec; HTML traffic needs TLS; device-to-device needs SSH.
“When it comes to data, there are different methods you need to encrypt … If I want to be PCI-compliant, and I want to take my data out-of-scope of a PCI audit, I’m going to have to use tokenization, and have to focus on cardholder data. So I might need a solution like tokenization that’s column-level. If I’m looking to secure a complete database, then Vormetric TE is great; but there are certain times when companies don’t subscribe to ‘Encrypt Everything.’ They want to be able to encrypt their finance, HR, and engineering data, but not this other set of data, for whatever reason — maybe they’re legacy systems.
“So at the end of the day, we want to give customers the tools they need to successfully protect their business. We are educating on the advantages of ‘Encrypt Everything,’ and [TE] is a fantastic solution for accomplishing ‘Encrypt Everything.’ But at the same time, there are times you need to be more surgical, and we’ll enable that too.”
Title image of the walls of Nicosia fort, Cyprus  by Giacomo Franco licensed through Creative Commons 2.0.
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker, JFrog.