How containers are changing the way developers work and apps are built
“Software is eating the world,” a 2011 statement made famous by co-founder of venture capital firm Andreessen-Horowitz Marc Andreessen, is an accepted part of the high-tech world we live in. However, when we use a phrase repeatedly, sometimes we lose touch with its meaning. Why is software eating the world? What are the implications for our jobs and businesses? What does it mean for cybersecurity?
The phrase “software is eating the world” implies that eventually, every company must become a software company. And in the nine years since Marc made that statement, we are increasingly living in a digital world. To take it a level deeper, the way employees and consumers experience this digitalization of everything is through apps—web, mobile and cloud apps. From an end user perspective, it’s more like apps are eating the world. Apps make or save us money, they run our businesses, they engage our customers and they make our employees more productive. Apps have been driving the evolution of IT since its dawn.
Where do apps come from? From developers, of course. Developers write apps that run on IT platforms, which drive the evolution of IT, from the mainframe, client server and the web, ultimately culminating in today’s DevOps world. A world where open source frameworks now cover the whole application life cycle all the way into the deployment of modern cloud services.
Apps and the IT platforms on which they run have driven the evolution of cybersecurity. Apps create enterprise data and businesses need to protect that data from leaks and attacks. Now that the cloud is the primary development platform to deliver modern apps, it’s imperative for businesses to deeply understand how cloud apps are developed, deployed and managed in order to properly secure enterprise data in the cloud.
Today, the primary deployment method for modern cloud apps is containers and container orchestration frameworks:
- Containers are ways to encapsulate an app or a microservice so that it is self-contained, immutable, portable and lightweight. In the same way as virtualization made it easy to take a virtual machine (operating system and apps) and run it on different virtual environments, containers make it easy to take a containerized application from development to production across any cloud platform that features a container runtime (such as Dockers) avoiding configuration and runtime conflicts.
- Container orchestration makes it extremely easy to scale up container-based applications and make them highly available by allowing developers to declaratively state the scalability and performance requirement of their application and leave it to the container orchestration (e.g. Kubernetes) to do the rest.
If this is the world that developers love today, it’s important to consider the five main steps that enterprise IT departments need to take to secure container-based apps deployed on IaaS/PaaS platforms such as Amazon AWS, Microsoft Azure or Google Cloud.
One of the best ways to avoid security problems at runtime is to catch them during the development process in what IT professionals commonly call “shift left.” Shift-left security solutions look at the application source code before it is moved into production to check for known insecure coding patterns, use of problematic open source and code configurations that may result in deployment-time risks.
Configuration and Posture Management
Once the container is deployed on a target cloud platform such as Amazon AWS, measures need to be used to ensure that the platform configuration is secure. There are hundreds of configuration knobs on any of the IaaS/PaaS platforms, from data storage buckets encryption to which network ports are open and so on. These settings vary by platform and are the source of most of the major data exfiltration that has made the news lately.
Containerized apps tend to be single-purpose services that have predictable runtime behavior. For example, a microservice that returns the weather forecast for a given zip code may talk to a zip code database service and a UI component. In simple terms, container microsegmentation is about observing connections between containers to determine what is normal. From there, it can detect deviations from the norm that could be the result of malware infection or hacker attacks. This is how cloud-native threats happen: they exploit a configuration vulnerability to get in, and then they expand to other nodes and containers until they get at the data. Microsegmentation is a valuable defense weapon to identify anomalous container behavior.
User and Entity Behavior Analytics (UEBA) is another important security tool that is applicable across SaaS/IaaS and PaaS and should be deployed to monitor user access and to detect problematic patterns. For example, block access to the development environment if a developer accesses the deployment environment from opposite ends of the globe at the same time, which is clearly an attempt to hack the system.
Device Access Control
Finally, it is important to monitor what type of devices access an enterprise IaaS/PaaS platform. This ensures that only secure, managed devices can access the development environment while any other device can only access the end applications.
The developers have spoken; their preferred way to deploy modern cloud apps on AWS, Azure and GCP is via containers. It’s more important than ever to keep up with the developers and deploy the necessary tools covered to develop and innovate at cloud-like speed while simultaneously protecting your sensitive enterprise data online—until the next time developers change their mind.