Clearing the enterprise’s path to the public cloud with container security

Enterprise organizations across diverse verticals, such as 3M, Adobe, Kellogg’s, and Netflix, have been ramping up their use of the public cloud to the point where that usage accounts for a substantial portion of their annual IT spend. ‘Enterprises with big budgets, data centers, and complex applications are now looking at cloud as a viable place to run core business applications’, according to Dave Bartoletti, an analyst at Forrester Research.

Economically, leveraging infrastructure as a service (IaaS) provided by Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and others, has significant cost advantages for certain types of workloads. In other cases, the speed and agility that IaaS delivers eclipses what is possible with the enterprise’s existing data centers, and that is the primary draw. But when it comes to security, some enterprises expose themselves to additional risk when moving sensitive data and business-critical applications to the public cloud, especially in light of the expanding breadth and volume of cyber attacks aimed at corporations’ valuable data. According to the Identity Theft Resource Center, with half of the year in the bag, 2017 is tracking to set a new new all-time record for data breaches. And, high-profile breaches suffered by Dow Jones, Verizon, and GOP voter records on Amazon S3 infrastructure underscore the existence of easy-to-miss security blind spots when applications and data are moved to the public cloud.

This isn’t to suggest that public cloud infrastructure is any less secure than the typical enterprise’s on-premise data center; on the contrary, cloud providers have considerably more incentive to place a higher priority on security, by virtue of their business model. They also, on average, have more resources dedicated to security than do their customers’ organizations. According to Gartner, “only a very small percentage of the security incidents that have affected enterprises using the cloud have been due to vulnerabilities on the part of the provider.”

So where is the disconnect when it comes to securing enterprise applications and data in the public cloud?

For starters, practically all of the major IaaS providers operate according to a clear-cut model of shared responsibility for security. This agreement basically states that the security of the infrastructure (compute, storage, network) is the provider’s responsibility, but the security of the data and applications a business puts into the cloud is its responsibility. This is where enterprises are challenged in establishing and maintaining reliable security practices around accessing data and keeping applications up to date with the latest security patches. In a recent Wall Street Journal article, Turner Broadcasting System Inc. chief information security officer Pete Chronis states that “IT departments need to understand when a company’s assets are online, when software needs to be patched, how critical applications connect to each other and when developers are making high-risk changes.”

Though many of these challenges can be solved individually, enterprises today have an unprecedented opportunity to dramatically reduce their share of public cloud security risk through the adoption of containers and microservices, accompanied by a security approach built specifically for these environments.

Containers: a vehicle for better overall security in the cloud

The use of Docker containers and microservices architectures, along with Kubernetes, Openshift, etc., in web-scale environments is growing aggressively among large enterprises, and many IaaS providers support container environments. Containers enable tremendous speed gains in software development and deployment, rapid scalability, and seamless movement of applications across different environments, which are ideal attributes for users and IaaS providers.

However, for enterprise security professionals, containers offer up a unique advantage: they pave the way for a “built-in” security approach where the security control point can be abstracted from the network or host.

StackRox is a great example of that approach. As a dedicated container security platform, StackRox is architected to deploy and operate as a set of security microservices that run in containers alongside application containers. This allows containers to be instrumented in a way that enables clear visibility into application activity– an essential aspect of security, especially when it comes to the public cloud.

To that effect, StackRox collects an extensive volume of container data. Through machine learning, that data gives way to precise models of application behavior against which it surfaces anomalous behaviors and attack techniques, and presents actionable security insights.

In turn, enterprise security teams can design and apply security policies that trigger alerts and execute preventative measures (i.e. blocking system calls and Docker commands), and responsive measures (i.e. quarantining or pausing containers) in the event a policy is violated or a threat is detected.

These capabilities are highly effective across distributed environments, and solve several major public cloud-related security challenges enterprises face. With a container security platform such as StackRox, it is possible to continuously monitor containers and cloud workloads. Second, security can be provisioned at the speed at which containerized applications and cloud workloads deploy and scale, as opposed to being hastily bolted on afterward. This dramatically narrows the gap where any unaddressed container image vulnerabilities are exposed, as precise threat detection across the entire environment is immediately in place.


Despite the substantial IT cost and operating efficiencies to be had with the use of IaaS, securing applications and data still confounds many enterprise organizations, complicating their path to the public cloud. Although many cloud providers maintain well-secured compute and network infrastructure, there still exists a degree of skepticism on the part of some customers. On top of that, securing applications in a timely manner and establishing continuous visibility of cloud workloads remain significant challenges that often keep organizations from moving forward with public cloud application deployments.

Containers– and by extension, a purpose-built container security solution– changes the game significantly. This new infrastructure has set the stage for fundamentally better security across distributed environments, giving enterprises a clear path to the public cloud.

Learn more about how StackRox can protect your organization’s containers and cloud workloads.