This is a guest blog by Rob Fry, an accomplished architect, inventor and public speaker with 20 years’ experience primarily in large-scale Internet companies and the utility industry. At Netflix he invented FIDO, a patented open source security orchestration platform, and while at Yahoo created the DUBS configuration and automation framework for production servers.
Over the past two decades, we’ve seen adoption of new technologies reshaping the landscape of how we operate and secure our businesses. Server and desktop virtualization, the use of mobile devices, and cloud computing are a few examples.
Right now there is another technology challenging to reshape that landscape again. The tidal wave of application containerization with Docker is here, and companies are adopting this new technology even faster than previous technologies.
I’m thrilled about this move to containers and microservices because it presents a new opportunity to fundamentally change the security-business relationship, where security can become an enabler to the business.
In this discussion, we’ll highlight the business considerations for the rapid adoption of new technologies, including containers, and the challenging role of security teams to embrace and secure these new technologies.
Business motivations for adopting new technologies
Learning and adopting a new technology is never easy, but organizations will make the effort because of either business value or employee value. Before we get into the benefits of containers and their related technologies, let’s look at how new technologies are typically adopted to enable better business results in an enterprise.
From a business point of view, companies evaluate whether the technology can make an impact on top-line or bottom-line revenue. Top-line includes whether there is potential for a new income stream, whether it is something that will make customers happy, or if it could add speed or velocity for delivering products. Bottom-line enhancements come from operational efficiencies and cost savings – increasing employee productivity, helping employees do more with less.
For bottom-line revenue, there is monetary budget, but employee capital – the ability to increase their skill set and value – is a major driver of new technology adoption. For example, mobile technology adoption has evolved to make employees more available and allow for better collaboration. In the ’90s, pagers became widely available for faster response. Then we had cell phones for faster response, BlackBerries for mobile emails, and now smart phones for a richer and more in-depth experience. Each time a new technology was adopted, employees became more valuable and productive.
Technology adoption is also a key to attracting and retaining employees. Getting to use the latest gadgets, and/or having the flexibility to choose your own devices is seen as a perk, in addition to making your job easier and increasing your motivation by working on the latest and greatest technologies. Employees also want to use the newest technologies to further their careers. For example, developers will prefer using the latest tools and ideas, including open source software; few people desire to work on mainframes anymore. Giving back to open source provides the opportunity for community recognition and makes you more valuable for your own personal brand.
Also, by giving employees more choices with flexibility on mobile devices, new technologies or open source, companies don’t need as much infrastructure; they can innovate and make a bigger impact on the company.
Technology for increased agility
Technology also gives businesses the flexibility to change and innovate faster. For example, startups typically have the agility to innovate and disrupt because they can start with newer technologies, like software-as-a-service (SaaS), public clouds. These technologies provide them higher productivity with lower costs, using pay-as-you-go models, so they can focus on delivering products for top-line revenue.
As companies grow and become more mature, they tend to lose their agility due to legacy technology, policies, and procedures slowing them down. When companies become larger and lose their DNA to innovate, they can still do so through acquisition. But they can also retrofit themselves to achieve a better level of agility by adopting newer technologies. For example, companies today are moving from monolithic applications to containers and microservices for faster development cycles. The C-suite cares about revenue and risk, and risk goes down when companies adopt better technology that increases agility and drives top-line revenue and bottom-line savings.
Technology evolution patterns
Now, let’s look at some examples of technology adoption patterns that are converging into this new wave of container adoption.
First, we have the move from physical servers, which evolved from mainframes, to the hypervisor and virtualization. The promise of virtualization emerged in 2001, although it was not widely adopted until 2008 to 2010, with an arc of about seven years from when it came out to when it was widely adopted. For virtualization, the barrier to adoption was the mainstream adoption of hardware.
In the mid-2000s, we also saw the emergence of cloud computing infrastructure as a service (IaaS), as well as software-as-a-service (SaaS) delivered through the cloud. And we’ve already talked about the adoption of mobile- and smart-phones for increased efficiency. Mobile adoption was rapid. By the time mobile phones began to dominate the landscape, the concept of “Shadow IT” was emerging; you could get a device, throw it on Wifi, and download SaaS applications.
For these new technologies, you didn’t have to go through IT; you could be up and running within minutes with virtual machines, computing infrastructure, and SaaS applications. Larger companies often wait until the technology is more mature to adopt it, so initially you see adoption by individuals or small companies. But once these technologies are more mature, we see larger companies and enterprises adopting them because they can yield astronomical cost savings.
DevOps movement: a convergence of technologies and methodologies
Application containerization, used for more than a decade at Google, but more recently made popular by Docker, is fueling the DevOps movement. Offering a new level of abstraction to efficiently develop applications that can be moved across distributed environments, containers – paired with the public cloud and open source tools, as well as APIs – are enabling organizations to iterate at a higher level for more rapid and flexible software development.
Docker container adoption is rapidly increasing as organizations are adopting it to reach new levels of efficiency and scale. When I left Netflix almost a year ago, we were deploying more than one million containers per week, with thousands of production code pushes per day. [In April 2018, Netflix published on its blog that it’s launching three million containers per week.] This approach was how we were able to build a continuous delivery platform serving movies and TV shows to more than 75 million global Netflix members.
Leaving your comfort zone to enable the business
For most security teams, the goal to move source code and applications from the datacenter to a deployed service in the cloud isn’t in their comfort zone. For some context: at Netflix, we actually embraced it and were fully supportive. Talking with our peers, though, made us realize they were not as clear on the benefits and how to mitigate risk as we were. But that is understandable because when we talk about moving to the cloud or adopting new technologies, we typically want to control it or block it to keep it secure.
But outside of your comfort zone is where good things usually happen. At innovative companies, security risk will never stop technology adoption because the business and employee value will win every time; you can’t block a tidal wave when it’s coming. New technology gets you out of your comfort zone, and you need to be flexible and creative to find ways to embrace it.
Strategies for successfully moving from gatekeeper to enabler
With security breaches making headlines for large brands on a monthly basis, companies are concerned about security. While they understand its value, security is still seen as a cost center because security will never generate revenue. For example, code that is not secured can go into production if there is business value to delivering the product by a certain time. The security risk is deemed acceptable because security is a lower priority. At the same time, your neck is on the line in the event of a security breach.
So how can Security and DevOps cooperate more closely? Here are a few pointers to drive success.
- Accept that security cannot be a gate when there’s business and employee value to adopting a new technology
- Do what’s possible to mitigate risk - look for tools that bridge security and DevOps and makes clear the company’s container risk profile
- Have security talk to executives in their native business language, primarily around risk, costs and revenue impact.
This third point is the most important; execs don’t care about the security details. What they care about is how much it costs, how much risk there is, and how the company can reduce that risk. That is how they make their decisions. Security should look for the gaps and prioritize the critical issues that need to be addressed first.
The StackRox Kubernetes Security Platform helps bridge this gap. It helps security work with DevOps to shift left with security, profiling risk and detailing remediation. Businesses have to move at the pace of DevOps, but they can do so without seeing security as the enemy.