Frenemies No More: Containers Are Changing the Security-Business Relationship

This is a guest blog by Rob Fry, an accomplished architect, inventor and public speaker with 20 years’ experience primarily in large-scale Internet companies and the utility industry. At Netflix he invented FIDO, a patented open source security orchestration platform, and while at Yahoo created the DUBS configuration and automation framework for production servers.

Over the past two decades, we’ve seen adoption of new technologies reshaping the landscape of how we operate and secure our businesses. Server and desktop virtualization, the use of mobile devices, and cloud computing are a few examples.

Right now there is another technology challenging to reshape that landscape again. The tidal wave of application containerization with Docker is here, and companies are adopting this new technology even faster than previous technologies.

I’m thrilled about this move to containers and microservices because it presents a new opportunity to fundamentally change the security-business relationship, where security can become an enabler to the business.

In part one of this two-part blog series, I’ll discuss business considerations for the rapid adoption of new technologies, including containers, and the challenging role of security teams to embrace and secure these new technologies. In part two, I’ll discuss how containers bring new opportunities to deliver better security in the new era of containers – security that is built-in and transparent to enable developer velocity and rapid innovation.

Business motivations for adopting new technologies

Technology adoption depends on business and employee value

Learning and adopting a new technology is never easy, but organizations will make the effort because of either business value or employee value. Before we get into the benefits of containers and their related technologies, let’s look at how new technologies are typically adopted to enable better business results in an enterprise.

From a business point of view, companies evaluate whether the technology can make an impact on top-line or bottom-line revenue. Top-line includes whether there is potential for a new income stream, whether it is something that will make customers happy, or if it could add speed or velocity for delivering products. Bottom-line enhancements come from operational efficiencies and cost savings – increasing employee productivity, helping employees do more with less.

For bottom-line revenue, there is monetary budget, but employee capital – the ability to increase their skill set and value – is a major driver of new technology adoption. For example, mobile technology adoption has evolved to make employees more available and allow for better collaboration. In the ’90s, pagers became widely available for faster response. Then we had cell phones for faster response, BlackBerries for mobile emails, and now smart phones for a richer and more in-depth experience. Each time a new technology was adopted, employees became more valuable and productive.

Technology adoption is also a key to attracting and retaining employees. Getting to use the latest gadgets, and/or having the flexibility to choose your own devices is seen as a perk, in addition to making your job easier and increasing your motivation by working on the latest and greatest technologies. Employees also want to use the newest technologies to further their careers. For example, developers will prefer using the latest tools and ideas, including open source software; few people desire to work on mainframes anymore. Giving back to open source provides the opportunity for community recognition and makes you more valuable for your own personal brand. And it is common for companies to ask for your Github account to understand your abilities better and how it fits with their software.

Also, by giving employees more choices with flexibility on mobile devices, new technologies or open source, companies don’t need as much infrastructure; they can innovate and make a bigger impact on the company.

Technology for increased agility

Technology also gives businesses the flexibility to change and innovate faster. For example, startups typically have the agility to innovate and disrupt because they can start with newer technologies, like software-as-a-service (SaaS), public clouds. These technologies provide them higher productivity with lower costs, using pay-as-you-go models, so they can focus on delivering products for top-line revenue.

As companies grow and become more mature, they tend to lose their agility due to legacy technology, policies, and procedures slowing them down. When companies become larger and lose their DNA to innovate, they can still do so through acquisition. But they can also retrofit themselves to achieve a better level of agility by adopting newer technologies. For example, companies today are moving from monolithic applications to containers and microservices for faster development cycles. This is because the C-suite cares about revenue and risk; there is lower risk in adopting better technology that increases agility in ways that impact top-line and bottom-line revenue.

Technology evolution patterns

Now, let’s look at some examples of technology adoption patterns that are converging into this new wave of container adoption.

First, we have the move from physical servers, which evolved from mainframes, to the hypervisor and virtualization. The promise of virtualization came about in 2001, although it was not widely adopted until 20082010, with an arc of about seven years from when it came out to when it was widely adopted. For virtualization, the barrier to adoption was the mainstream adoption of hardware.

In the mid-2000s, we also saw the emergence of cloud computing infrastructure as a service (IaaS), as well as software-as-a-service (SaaS) delivered through the cloud. And we’ve already talked about the adoption of mobile- and smart-phones for increased efficiency. Mobile adoption was rapid. By the time they came out, the concept of “Shadow IT” was emerging; you could get a device, throw it on Wifi, and download SaaS applications.

For these new technologies, you didn’t necessarily have to go through IT; you could be up and running within minutes with virtual machines, computing infrastructure, and SaaS applications. There are also maturity periods required before larger companies are willing to adopt them. Initially, you see adoption by individuals or small companies. But once these technologies are more mature, and we see larger companies, and even enterprises adopting them because they can yield astronomical cost savings.

DevOps movement: a convergence of technologies and methodologies

Application containerization, used for more than a decade at Google, but more recently made popular by Docker, is fueling the DevOps movement. Offering a new level of abstraction to efficiently develop applications that can be moved across distributed environments, containers – paired with the public cloud and open source tools, as well as APIs – are enabling organizations to iterate at a higher level for more rapid and flexible software development.

Docker container adoption is rapidly increasing as organizations are adopting it to reach new levels of efficiency and scale. When I left Netflix almost a year ago, we were deploying more than 1 million containers per week, with thousands of production code pushes per day. This was how we were able to build a continuous delivery platform serving movies and TV shows to more than 75 million global Netflix members.

Leaving your comfort zone to enable the business

For most security teams, the goal to move source code and applications from the datacenter to a deployed service in the cloud isn’t in their comfort zone. For some context: at Netflix, we actually embraced it and were fully supportive. Talking with our peers, though, made us realize they were not as clear on the benefits and how to mitigate risk as we were. But that is understandable because when we talk about moving to the cloud or adopting new technologies, we typically want to control it or block it to keep it secure.

But outside of your comfort zone is where good things usually happen. At innovative companies, security risk will never stop technology adoption because the business and employee value will win every time; you can’t block a tidal wave when it’s coming. New technology gets you out of your comfort zone, and you need to be flexible and creative to find ways to embrace it.

Strategies for successfully moving from gatekeeper to enabler

Getting outside your comfort zone to enable the business

With security breaches making headlines for large brands on a monthly basis, companies are concerned about security. While they understand its value, security is still seen as a cost center because security will never generate revenue. For example, code that is not secured can go into production if there is business value to delivering the product by a certain time. The security risk is deemed acceptable because security is a lower priority. At the same time, your neck is on the line in the event of a security breach.

So knowing that security is deemed a second-class citizen, what can you do? You need a business-driven approach. Here are a few pointers to drive success for your security program.

  1. Accept that you will lose a battle when there’s business and employee value to adopting a new technology
  2. Do what you can to mitigate risk; for example, don’t use the new technology with critical data or assets
  3. Learn to talk to the CEO and executives in their native business language, primarily around risk, costs and revenue impact.

This third point is the most important; they don’t care about the security details. What they care about is how much it costs, how much risk is there, and how you will reduce that risk. That is how they make their decisions. Your job is to look for the gaps and prioritize what what you need in order to fill them.

In the next blog post, I’ll discuss how to make security a first-class citizen as a partner to enable the business. Specifically, we’ll discuss how the move to containers presents unique opportunities for better security to enable the business.