Why everyone from investors to the C-suite should consider container security
Over the past few years, virtually all of the most innovative enterprise firms — from multinational banks like Goldman Sachs, to cutting-edge technology companies like Google — have set out to modernize the way they deliver software applications through containers and microservices architectures. By breaking down large applications into smaller, composable pieces, software developers and those in charge of managing applications have discovered that containers — and the microservices approach they enable — allow for software development that is far more agile, resilient, and efficient than traditional monolithic approaches.
Still, while developers and cutting-edge organizations have quickly recognized the myriad benefits of container platforms such as Docker and Kubernetes, overall enthusiasm for containers and the microservices approach is often tempered by concerns about container security. This is because container environments comprise a new and unfamiliar attack surface. In order to run a microservices-based application, one needs to be able monitor, manage, and scale the different constituent parts. This adds complexity, which in turn creates a more complicated attack surface, the ephemeral nature of which makes it challenging to monitor and secure, especially given the volume of activity created by container environments. Most organizations don’t yet have a well-developed understanding of how attacks unfold within container environments, or a reliable plan for securing them.
This is not a new scenario, it’s a familiar story: technology undergoes an aggressive, business-driven evolution, while cybersecurity races to catch up. This opens up a time window of weeks or months within which an organization is much more vulnerable to attacks.
Fortunately, organizations now have the chance to catch up, as developments in container security technology are today leveling the playing field back to the side of the defender. Indeed, as container security matures, we may be witnessing a transformation in the cat-and-mouse dynamic between attackers and defenders. With the right security approach, containers are not only protected against threats, they also become a vehicle for enabling fundamentally better system-wide security.
That means, for the first time it’s possible to move the security control point to the application itself. By collecting data upfront — from sources like system calls and container network activity — it’s now possible for security teams to gain far greater visibility and control inside applications than was ever possible before. Armed with clear visibility and security insights, purpose-built container security is as effective at preventing, detecting, and responding to attacks as more traditional security controls such as Web Application Firewalls (WAFs) and Intrusion Detection and Prevention Systems (IDS/IPS). In a sense, security teams can now build security natively into the application environment.
This is why leading companies like Amazon and Netflix, and big U.S. government agencies like the Department of Homeland Security and the General Services Administration, have concluded that containers are not only the future of large enterprise applications and software-as-a-service over the Internet, but of cybersecurity as well. It is clear that everyone across the enterprise, from DevOps teams to the C-Suite, from investors to the boardroom, stands to benefit from advances in container security, and ought to consider how it might revolutionize their security posture and reduce their organization’s overall cyber risk.
The people building and deploying applications based on containers and microservices architecture are working with a decidedly better operating model for most enterprise applications. This is borne out of the exponential growth of the container industry, especially the rise of Docker. In 2014, Docker had 15K apps on its Docker Hub platform; today, it has more than 900K, and has seen more than 12 billion image pulls in the past 4 years. The explanation is simple: Instead of having one giant code base that all developers must work on simultaneously, microservice architectures are comprised of numerous smaller code bases, each component of which can be developed separately and concurrently. This makes individual services independently deployable and scalable, allowing for rapid, even continuous, software release and update cycles. From a security perspective, container architectures allow DevOps teams to spend less time worrying about security and spend more time focusing on the core product. Developers can automatically scan their code and images for vulnerabilities, and address them without having to bring down the full application.
For those tasked specifically with defending an enterprise organization’s data and infrastructure, container security platforms similarly provide a robust and uniquely nimble security environment. One of the primary obstacles to securing containers has been that microservice architectures generate a tremendous amount of data at high velocity (e.g., data sent from container to container, communications within the network, system calls, etc.), rendering container security unmanageable for many organizations. But thanks to advances in a number of key technologies (particularly machine learning and automation of incident response mechanisms), security professionals can now have comprehensive visibility into their environment and defenses that adapt to new threats as they emerge.
These advantages have not been lost on the C-Suite executives responsible for considering an organization’s risk management strategy and spending on IT and security. To them, container security solutions are exciting not just because they provide additional protections, but because they offer significant IT resource efficiencies. Chief Information Security Officers (CISOs) in particular are regularly frustrated by the sheer number of security tools required protect their systems. The practice of cybersecurity can feel like a never-ending and constant exercise in spending and deploying tools. But with container security, instead having to buy dozens of tools - as is often the case with traditional enterprise security - organizations running containers can protect themselves with just a few. And instead of having to monitor and manage dozens of security applications, they can now focus on a single, unified source of information and derive meaningful security insights from the analysis of millions of events across the organization. Containers provide better, simpler security, and enable substantial cybersecurity cost savings. This is music to any CISO’s ears.
Finally, for investors, container security simply means less overall organization risk. Breaches are devastating; they shake investor confidence, erode brand and enterprise value, and can cost millions in legal fees and damages. In fact, the average cost of a breach has been estimated at $3.6M and, depending on the scale and impact of the attack, can reach as high as $1B as the 2013 Target breach demonstrated. Cybersecurity is no longer a matter that investors can afford to disregard. Smart investors know that cyber attacks and breaches are consistently at the top of the list of risks that companies face. The right approach to container security should give investors confidence that sophisticated attacks can be properly detected and mitigated before any material damage can be done.
Considering today’s rapidly evolving threat landscape, cybersecurity should be considered a shared responsibility among every single employee, manager, and executive of an organization — regardless of its size or industry. And though not everyone in an organization is necessarily hands-on with containerized applications or cloud workloads, they should be highly vested in the organization’s adoption of the right container security solution. In light of the tremendous potential that containers yield for the advancement of enterprise cybersecurity overall, no organization will have done its due diligence without first considering what a dedicated container security platform can do for them.
The path forward for enterprise cybersecurity is paved by containers and microservices. StackRox is leading this charge into the future with the industry’s only adaptive threat protection platform for containers. We are thrilled to partner with each of our customers and secure them throughout their journey from containers to web-scale microservices.
Learn more about StackRox’s fundamentally different approach to cybersecurity.