Rocketing into the Future: Can Containers Help Secure the Cloud?

Dominic Delmolino is vice president for systems architecture and engineering at Agilex.  

As my colleague, Roger Baker, noted in his recent Nextgov article, commercial clouds are more secure than ever, surpassing the security of most government data centers. Unfortunately, that strong security has defined limits, resulting in a shared security responsibility.

While cloud providers offer solid tools for network and application security, individual cloud applications and servers still need to be secured by IT professionals, many of whom are still coming up to speed on cloud security tools and concepts.

Creating and launching a secure cloud server isn’t easy, and the work that goes into making a cloud server that balances developer demands for instantaneous creation against operational security is often underappreciated.

At one of my customers, the operations group has been able to create a reasonably useful and secure cloud server image that starts up in about 30 minutes. During the startup process, the server ensures it has the latest vulnerability patches and security updates, registers itself with intrusion detection and virus scanning services and links up with central logging and monitoring servers. The result is an approved, secure cloud server that can be used to host production applications in the cloud.

Thirty minutes may seem fast to some folks, but to developers who want to test application deployments using server images, 30 minutes can seem like an eternity. Developers want fast startup/shutdown cycle times for testing and my customer’s operations group thinks it has found a way to get the best of both worlds.

Enter Server Containers

You may not know it, but you’ve probably already encountered something similar to containers if you use a smartphone. On many smartphones today, your apps run in what’s called an application “sandbox,” where apps are “boxed” in by the operating system so that they can’t run amok on your phone.

The upshot of apps running in their own containers like this means that they don’t need to modify your phone’s settings in order to work for you. Installing and uninstalling apps has become a breeze, and you never have to “reboot” your phone when changing the applications on it.

Cloud server containers, like Docker, aim to provide developers and administrators with similar capabilities for enterprise applications.

My customer and I believe that this combination of rapid application installation and controlled access to the underlying system will provide developers and operations with capabilities they both need to fully exploit the cloud.

A New Area for Cloud Competition

My customer isn’t the only one thinking this way. Among cloud aficionados, the Google Cloud Platform is generally acknowledged to have top-notch container support. Furthermore, Google has rich capabilities to coordinate containers using an orchestration framework called Kubernetes. Red Hat has announced its popular OpenShift PaaS product will be re-written using Docker containers and Kubernetes. Even Amazon Web Services announced a container management service (free of charge!) at its annual re:Invent conference in November.

Are They Secure Enough?

While competition in this space is exciting, not everyone thinks the leading container standard (Docker) is secure enough for widespread production use. The most common concern is that applications can “break out” of their containers and wreak havoc with the underlying server.

With Docker suffering its first exploit last June (since patched), competitors have sensed an opportunity. Last month, CoreOS, a company that specializes in building minimal configurations of Linux for production servers, announced its intent to produce a lightweight and highly secure container standard known as Rocket.

Another Step Toward Continuous Delivery

A competition for which container standard is more secure can only benefit enterprise customers, as security is one of the few areas that have resisted the efficiency gains due to agile, devops and cloud. Many of the projects I’ve worked on in the past year have had their immense productivity gains jeopardized by end-of-cycle security reviews. Focusing on how to address security concerns in a standard, repeatable, and, most important, rapid fashion will break down another barrier in the quest for real continuous delivery in government IT.

Google appears to agree, as last week it announced its beta of a secure container registry service that enables customers to store encrypted container images in the cloud for rapid deployment. Secure agility -- a new and intriguing area of cloud innovation.

(Image via belekekin/Shutterstock.com)