Software Containers and Security: Prepare Now
There are some technologies that seem to have their own “gravitational pull.” By this, I don’t just mean technologies that are interesting, compelling to the business, or likely to be considered by businesses. Instead, I’m referring to those technologies that exert a steady, near-continuous and (one might argue) irresistible pressure across multiple areas of the organization to adopt.
Cloud, mobile, and social media are all examples of technologies like this. Say “no” to the sales team’s request to use a Software as a Service (SaaS) tool today, and chances are you’ll be talking to the marketing team about a similar tool next week. These technologies, when they arise, are usually highly advantageous to the business, have a diverse potential use base, low barriers to adoption and a high degree of awareness among end-user customers.
Software Containers, Security and Risk Mitigation
It’s important to pay attention when new technologies like this land on the scene for a few reasons.
First, the potential for shadow adoption is high. Compelling usage, coupled with low barriers gating that usage, mean that individual business units (or individual employees) might take it upon themselves to employ it without thinking to inform or engage with technology (let alone security or assurance) teams. As a consequence, a given assurance, security or risk practitioner might not know the usage is there until after it is entrenched.
Second, adoption changes the risk dynamics of the organization. New risks are potentially introduced while old ones are potentially reduced and business value potentially increases. From a holistic risk perspective, therefore, it is imperative that practitioners evaluate these technologies and understand their risk impact even though they may have limited time to do so in light of shadow adoption.
While still relatively new, application containerization is demonstrating many of the above properties.
Application containerization represents a mechanism that allows the creation of modularized, packaged application functionality that contains the application as well as any configuration or underlying support software required for the application to run. By virtue of them being small and componentized, the containers are portable between environments; they leverage the segmentation features of the operating system on which they run to enforce segmentation between different containers on the same OS instance. The portability offered helps enable development while the comparative efficiency (relative to, for example, OS virtualization) offers potentially increased allocation density of applications per physical device.
Application Containerization and Security
In light of these factors, ISACA has issued a pair of white papers on application containerization. The first volume outlines what application containerization is: the business drivers causing its popularity, the value proposition for developers and datacenter managers, and a description of what the technology offers, and how it works. The second volume outlines the practitioner impact: Why the security, assurance, risk, or governance practitioner should care and what they can do to help prepare for risk and control decisions that involve application containers.
It is our hope that this guidance will assist practitioners as they approach risk decisions relative to containers within their environments and assist them in evaluating usage scenarios as containers and micro-services rise in prominence. By laying out the value proposition to the business and providing a working understanding of its technical operation, as well as outlining some of the risk considerations, we hope to arm practitioners with the information they need to approach these decisions with confidence.