It’s no secret that software containers are taking the industry by storm–and for a number of good reasons. Containers enable faster application development and deployment as well as easier migration, and have less overhead. It’s not surprising why container adoption has shot up significantly in recent years. According to the 2017 Portworx Annual Container Adoption survey, containers are increasing in relevance with 32% of companies spending $500,000 or more a year on license and usage fees for container technologies, up from a reported 5% last year.
With the popularity of containers, however, comes the issue of security. As a relatively new technology, containers present completely new and unique security challenges that traditional security tools aren’t built to address. CloudPassage, a leader in cloud security automation and compliance monitoring for high-performance application development and deployment environments, aims to help enterprises and their teams ensure a monitored and secured containerized operating environment. The company offers Container Secure, a broad set of automated compliance and security controls for containers. Unveiled in November last year, the solution covers five key elements of container security. These include host security, continuous image assurance, runtime configuration assessment, visibility and compliance, and DevOps ecosystem integration.
SourceForge recently spoke with Ash Wilson, the Strategic Engineering Specialist at CloudPassage, to discuss the increasing adoption of containers, the importance of container security, and how Container Secure delivers the full lifecycle security and compliance that teams need for their microservices and applications across all container deployments.
Q: Please tell us a bit more about CloudPassage. What are the company’s mission and vision? Who are some of your current clients?
Ash Wilson, the Strategic Engineering Specialist at CloudPassage
A: Founded in 2010, CloudPassage was the first company to obtain a U.S. patent for universal cloud infrastructure security and has been a leading innovator in cloud security automation and compliance monitoring for high-performance application development and deployment environments.
CloudPassage Halo is our workload security automation platform that provides universal visibility and continuous protection for servers in any combination of data centers, hybrid architecture, cloud and containers. Today, CloudPassage Halo helps many of the leading global finance, insurance, media, ecommerce, high-tech service providers, transportation and hospitality companies such as Xero, Centrify, Hawaiian Airlines, General Electric, Grubhub and more.
Q: Container technology is rapidly gaining popularity and is becoming one of the fastest growing technology trends today. What factors are driving the increased adoption of containers?
A: The speed-related benefits of containerization accelerate different aspects of agile software delivery. Building and examining a container image that’s only megabytes in size is much easier and faster than building and evaluating an entire operating system image, which may be gigabytes in size. Rapidly performing a security assessment on a container image, in the continuous integration (CI) phase, means that the developer gets instant feedback for security-oriented defects. Fixing defects surfaced during the CI process are less expensive (and less interruptive) than reacting to security problems discovered after production deployment. Catching security-related defects prior to production is key to achieving and maintaining a proactive approach to application security.
Coupling microservice design patterns with container scheduling platforms allows for graceful and rapid application scaling to accommodate variable application load.
Containerization can facilitate faster iteration cycles, more graceful application scaling characteristics, and more secure deployments.
Q: How should development teams approach container security?
A: Performing a security assessment on containerized workloads can be more rapid than with traditional workloads, if the right tools are employed. Traditional security tools are often times prohibitively slow at providing results, and anything that slows down the delivery process is in danger of exclusion. Doing container security rapidly and effectively requires the use of tools built specifically for the task at hand.
Q: What are the best practices for keeping containerized infrastructure safe and secure?
A: Coupled with the file-based configuration employed by container scheduling platforms, the CI process can have access to a clear definition of how an entire application is designed to function, from network behavior through software packages and application code. With the right tools, a more holistic assessment of the fitness of an application release is possible. Push as much security testing as you can into the CI process, and give your developers good feedback on security-related code quality. This will reduce the number of security-related defects found in production and helps to train developers to write more secure applications.
Q: Late last year, CloudPassage released Container Secure as a core component of the CloudPassage Halo platform. Tell us about this newest solution.
A: Assessing the security of container images and containerized workloads requires a different approach in order to avoid unnecessarily slowing down the agile delivery process. CloudPassage Halo’s deployment model places the the Halo agent in the best position for performing that rapid assessment function for container images built in the CI process, as well as containers running in production. When one platform collects very detailed and actionable security information on all workloads in an application, from the base operating system through the containers running in the Docker engine, the task of prioritizing vulnerability remediation becomes much more straightforward.
For businesses adopting a highly-automated security practice, being able to get all workload-related security information from one API with a well-structured data model really cuts down implementation time and level of effort required for maintaining integrations.
The visibility that CloudPassage provides for all workloads–from private datacenter to public cloud, bare metal to containerized–enables businesses to achieve continuous compliance. We create policies to cover a broad set of compliance standards, and being able to automate the consumption of CloudPassage-generated compliance information by a GRC system is a real time-saver.
Q: Containers have been around for a long time, but Docker brought them into the mainstream of application development. And while the platform already has inherent security features, many believe it is still not good enough. How is Container Secure addressing underlying security issues and filling the gaps that Docker’s built-in security features are not able to handle?
A: Container Secure provides visibility from the build process for container images through runtime, including the constraints applied to running containers by Docker. CloudPassage Container Secure enables broad visibility into containers’ entire lifecycle, and enables businesses to adopt containerization in a way that’s fast and secure.
Q: In addition to Container Secure, what other products do you offer? Who are they for?
A: We offer CloudPassage Halo, the world’s leading agile security platform. CloudPassage Halo is an agent model. The extremely lightweight Halo agent deploys on top of any workload (whether that workload is in a traditional data center, public or private cloud, or containers), in order to provide detailed workload visibility along with automated, continuous, and visible compliance checks. Our products include server secure and container secure. CloudPassage Halo also has an easy to use API, which integrates seamlessly with products like Chef, Puppet, Jenkins, and SaltStack.
Q: Looking ahead, what rising trends or technologies do you think will shape container and cloud security? How is CloudPassage meeting these?
A:
- Interest in security tools that address containerized applications will increase as production adoption of containers increases.
- Container security can be seen as an extension of cloud workload security, with aspects that require a different approach in order to maximize effectiveness without slowing down release iteration.
- The pain of integrating a broad set of point solutions will become greater because securing containerized applications requires a different approach in order to be really effective and low-friction. More point solutions mean more integration pain.
- CloudPassage exposes a breadth of analysis and management capabilities in a way that is low-friction and automation-friendly; ease of implementation, integration, and automation leads to a more rapid time-to-value.
About CloudPassage
Founded in 2011, CloudPassage brings organizations automated security baked directly into the DevOps cycle, from the start. CloudPassage offers CloudPassage Halo, an award-winning workload security automation platform. The Halo platform is delivered as a service, so it deploys in minutes and scales effortlessly. Fully integrated with popular infrastructure automation and orchestration tools such as Puppet and Chef, as well as leading CI/CD tools such as Jenkins, Halo secures the enterprise where it’s most vulnerable—application development and workload deployment.