For many security engineers, containers are still a novel concept. Developers are the first to want containerization on their enterprise platforms, and C-suite executives may be starting to recognize their considerable benefits as well. So now, the task is falling on IT security personnel to determine the security issues involved with container deployment. From their perspective, containerization alters their risk assessments, whether or not they choose to address the technology.
So when word of a demonstration of container platform security from Vormetric spread among visitors to the RSA 2016 security conference in San Francisco floor Wednesday, the company’s little glass-covered demo theater jammed with spectators.
How CISOs See Containers for the First Time
A Vormetric container is a Docker container that runs under Vormetric’s protection. As we reported a few months back, the Vormetric Transparent Encryption agent runs on the operating system. It doesn’t have to break the container barrier, though it still encrypts containers at rest, and communicates access control and encryption policies back to the company’s long-standing Data Security Manager.
But since that time, organizations have had greater choices about how their containerization platforms are orchestrated and monitored. Is that having an effect on how Vormetric applies policies to them?
“Our focus — where we started out — is to secure the container, and the data that’s accessed by the container,” responded Ashvin Kamaraju, Vormetric’s vice president for product development, speaking with us at RSA 2016. “That plays to our strength, and that’s where we are starting.
“In terms of the orchestration frameworks, we’re still learning from what kinds of frameworks our customers would be using – whether they’re going to adopt Rancher or Mesos. We haven’t really got a definite opinion because I think some of the enterprise customers are more in the early adopter cycle, and they’re learning how they’re going to deploy these microservices and what orchestration frameworks they should be using.”
Kamaraju believes the host OS is the most viable location for learning about what’s running within a container, without piercing the barrier of that container itself. Vormetric does produce audit logs that describe the resources that containers are accessing, and under whose account. Those logs are then pushed to a security intelligence tool such as Splunk, rather than Vormetric processing all the analytics through an engine of its own.
The peculiar challenge of applying access control policies to containers in this manner concerns scalability. In almost any architecture involving communications between components, as the number of components scales linearly, the chatter from and/or between them scales exponentially. Docker was able to pull off an extraordinarily effective demonstration of scalability to a degree never before seen at the time, largely because access control was not an issue.
Scaling Access Control
But for many enterprises, access control is a requirement, not just for IT security professionals but for risk managers whose job is to keep costs under control. Some organizations already have Vormetric’s Data Security Manager in their data centers. “Access,” from this perspective, applies to accounts.
In a microservices environment, however, where containers spin up other containers for their own purposes, “access” may be an act performed by something that didn’t exist a minute ago, and won’t exist a minute from now. How can Vormetric adapt to this new concept of large-scale deployment, while at the same time retaining its existing view of access control for existing environments?
“We’re learning how they’re deploying these microservices,” said Kamaraju, “and how much of a variety there’s going to be in that. But usually policies that our customers use today are grouped together, in the sense that if there’s an Oracle database that’s being deployed, then the same policy applies: You create a template, and you roll it out to all the hosts running Oracle database having similar attributes. Ditto for other apps.”
It’s also feasible to apply the same set of policies to a group of hosts, or to a set of containers, or a cluster of users, the development VP added.
“Our policies consist of rules, and an encryption key associated with the policies,” he explained further. “We also have the notion of signature sets, which means you can assign your apps with our security. That means we’ll authenticate and check the signatures before you allow the processes access to the data. So it’s not just users; the time dimension is also there, where time-wise you can control when somebody has access. You have user-based, process-based, and signature set access.”
It’s feasible to extend this grouping to new processes, meaning the following can indeed be automated: A microservices-oriented container spins up a new container; that container can be authorized and given identity; existing policies can be assigned to that container; it can be authenticated for accessing resources in other containers. Yet the grouping only exists once, so the policies only exist once since the host operating system only exists once. Vormetric avoids the scalability problem by not scaling the agents that would be conducting the chatter.
It appears the container mystique has struck the security community just this year. Vormetric senior director of marketing Charles Goldberg has a theory why:
“Like anything new in technology — we saw this with cloud and big data, and we’re seeing this with Docker — we’re always going to have business groups (not really just ‘Shadow IT’) see the value of the new technology, and they’re very aggressive in adopting that new technology, and it’s often outside the establishment, outside the view of the CISO. And when they start using it, and all of a sudden, it starts becoming more and more deployed, and more sensitive data starts moving into it, then the security group comes in.
“And the challenge is,” Goldberg continued, “they’re always a step behind. ‘What’s this Docker thing?’ And I think that’s why here, at a security conference, we just packed that room… ‘I’m hearing my business groups doing this, and now all of a sudden, it’s coming up to us security people.’ And that’s always a case with these new technologies, but nothing’s ever moved as fast as Docker.”
Docker is a sponsor of The New Stack.
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker.