As is often the case with any emerging technology, the top concern most organizations have when adding it to a production environment is security. Microservices based on containers is no different in that regard. StackRox is making the case that securing containers requires a cloud-native approach that can respond dynamically as changes are made to an environment. Now the company is working with Google to tightly integrate its approach to container security with the Google Kubernetes Engine (GKE).
Wei Lien Dang, vice president of product for StackRox, says existing security tools fail when it comes to containers because they generally don’t have any built-in mechanisms for discovering containers. Containers are the most ephemeral atomic unit of computing ever created. Dang says StackRox keeps track of how individual containers are employing underlying resources to provide indications of potential compromise. Machine learning algorithms automatically tune the StackRox security framework as the underlying container environments change to enable security polices and rules to be implemented consistently. The platform accomplishes this by combining intrusion detection and prevention (IDS/IPS), web application firewalling (WAF) and endpoint detection and response (EDR) capabilities for containers in a single framework.
Dang notes the rise of microservices and containers is forcing IT organizations to finally confront DevSecOps issues, which in turn is driving more collaboration between IT security and DevOps teams. But none of that collaboration can occur unless the IT security team has visibility into what’s happening within the container environment, says Dang.
Today most containers are deployed on top of a virtual machine mainly because of concerns about IT security. But if the security tools surround containers, it becomes more likely that more organizations will opt to deploy containers using Kubernetes clusters running on bare-metal servers.
Alternatively, there is also an initiative being led by the OpenStack Foundation to deploy containers on a much lighter-weight instance of a hypervisor as an alternative to existing virtual machines. That approach, which Google supports, will ensure isolation of containers without incurring as much overhead.
Regardless of how and where containers are implemented, the ability to dynamically enforce security policies will be critical. Without that capability, many IT organizations might simply choose to limit use of containers to application development projects.
In the meantime, Google is betting that containers and Kubernetes will be a critical element of its bid to gain ground on both Amazon Web Services (AWS) and Microsoft Azure. As part of that bid, it is now working with StackRox to better secure containers and Kubernetes end to end, says Dang.
It’s too early to say how much an endorsement of the StackRox approach to security might influence IT organizations implementing containers and Kubernetes in an on-premises environment. Dang says most of the usage of Kubernetes today is on public clouds. But over time, Dang says StackRox expects to be mixed environments spanning instances of Kubernetes running on both multiple clouds and in an on-premises environment—assuming, of course, all relevant IT security issues have been confidently addressed.