Securing Containers in a Serverless Environment

The world of application development and deployment has evolved rapidly. The transformation from on-premises data centers and a more traditional Waterfall or Agile development model, to virtual servers, to the cloud and, finally, to the explosion of DevOps and containers has fundamentally changed how organizations think about infrastructure and development—and introduced unique security concerns to address at the same time.

Many organizations are still getting up to speed with DevOps and containers. In the meantime, the major cloud platform providers—AWS, Microsoft Azure, Google and others—are transitioning from a familiar model of running a server in the cloud and executing applications on or within that virtual server, to a serverless computing model.

Pros and Cons of Serverless Computing

A cloud-hosted serverless environment provides a variety of benefits, such as removing the need to manage the infrastructure and eliminating the operational costs and performance impact of the server operating system. Developers can just develop in a truly platform-agnostic—or, more precisely, platformless—environment that delivers on the promise of containers.

“You can focus on creating and deploying application workloads, without having to concern yourself with the operating system of the host, or the container orchestration layer, or how to configure and manage the underlying infrastructure in general,” I wrote in a recent post about AWS Fargate.

Serverless computing also comes with some challenges, though. The question IT admins and developers have to answer is, How do you secure and protect containerized applications on a platform where there is no server to run security software from? The serverless environment creates operational blind spots and makes it challenging to have comprehensive visibility—especially for legacy security tools.

Container-Native Security

Serverless computing eliminates the host operating system, orchestration layer and other administrative burdens. But even with your operational overhead reduced, you still need to secure and protect the actual containers running in the serverless environment. Without a host operating system to work with, the only effective option is to use a container-native security solution that incorporates security into the containers themselves.

Embedding security into existing DevOps processes and incorporating it at the container level removes the friction of security and allows organizations to accelerate adoption of containers. Businesses can make the shift to containers—even containers in a serverless environment—and take full advantage of the cost and operational benefits without sacrificing security.

“Security with low friction and low cognitive load wins in a software-defined world,” says Richard Seiersen, CISO at Lending Club. “If your capabilities create development drag and restricts deployment—you and those you protect will lose. Layered Insight’s security model targets this reality with a “deploy fast anywhere” intent.”

Servers—virtual or otherwise—won’t be extinct anytime soon—but things are trending in that direction. Organizations that figure out how to jump on serverless early will have a strategic advantage that will make them more agile and competitive—that is, as long as you also adopt container security that works effectively in a serverless computing world.

Tony Bradley

I have a passion for technology and gadgets--with a focus on Microsoft and security--and a desire to help others understand how technology can affect or improve their lives. I also love spending time with my wife, 7 kids, 2 dogs, 5 cats, 3 rabbits, 2 ferrets, pot-bellied pig and sulcata tortoise, and I like to think I enjoy reading and golf even though I never find time for either. You can contact me directly at tony@techspective.net. For more from me, you can follow me on Twitter and Facebook.

Tony Bradley has 45 posts and counting. See all posts by Tony Bradley