Leveraging IT Governance to Help Manage Docker and Rocket Application Containers

Application containerization technologies such as Docker and CoreOS’ Rocket are quite literally transforming enterprise IT in many organizations. The “State of Containers 2015 Docker Adoption Survey” from StackEngine found that 70 percent of those they surveyed were either already using or evaluating containerization in their enterprises, and 31 percent were planning on using it in the production environment.

This is pretty striking considering that the 1.0 release of the containerization program just occurred in June 2014. When any technology goes from “not yet released” to “most people are using it” in about a year, it’s pretty clear there’s something going on, and it’s important for technology pros — particularly security professionals — to pay attention.

About Containers

For those that aren’t familiar, containerization technologies allow users to create application packages, or containers, that hold one or more applications as well as any underlying support software (e.g., code libraries, middleware, services, etc.) required for those applications to run. It provides a segmented, sequestered environment for the application while preventing interference of that application with other containers or processes that might be transpiring on the same host. If you remember using chroot or FreeBSD jails to create isolated filesystems, it’s similar, except that it extends to other system resources such as the network stack and process space.

To many, this might sound conceptually similar to OS virtualization. From a usage standpoint, it is similar; unlike OS virtualization, however, the package contains only the minimum amount of bloat necessary for the application to run. Instead of having rack after rack of hypervisors running virtual images all containing redundant, near-identical copies of an underlying OS, you have a portable, relatively small package that’s lean and efficient.

Developers love the portability: They can quickly move the container from environment to environment (from their unit testing platform to QA, for example), meaning they spend less time debugging configuration issues and more time writing business logic. Data center managers love it, too, because the increased efficiency allows for greater density within the data center; more applications can run more efficiently on less hardware.

Docker and Rocket: A Balancing Act

Those benefits are pretty exciting. But from a security and management point of view, there can be some challenges when it comes to containerization at scale. Remember virtual machine (VM) sprawl? Most organizations historically struggled with the proliferation of VMs and the challenges of keeping inventories current, which can complicate compliance activities, slow down incident response and make otherwise routine hygiene activities like patching more difficult. Remember the issues associated with stale VM images? Arguing with auditors about why these images haven’t been patched in the past six months isn’t a conversation most love having.

Consider what happens to these issues when containers enter into the mix. Not only are all the VM issues still there, but they’re now potentially compounded. Inventories that were already difficult to keep current because of VM sprawl might now have to accommodate containers, too; for example, any given VM could contain potentially dozens of individual containers. Issues arising from unexpected migration of VM images might be made significantly worse when the containers running on them can be relocated with a few keystrokes.

Now, this isn’t FUD — I’m not trying to scare you with nightmare scenarios of doom and gloom. Instead, I’m calling these potential issues out to highlight why it can be advantageous to extend existing IT governance structures and concepts into the container world.

Isn’t Governance Too Slow?

There is a misperception out there that IT governance is something slow and unwieldy — something that might be great if you work in a behemoth of an organization or in a shop that’s slow-moving and inflexible, but not something germane to the rest of us. So when discussing application containers, which are all about speeding up application delivery and making deployment more efficient, it might seem like IT governance would be the last thing to put on the table.

However, governance isn’t about slowing things down or introducing unnecessary rigor. It’s instead designed to make sure resources are most efficiently used. The whole point of governance is to ensure that the organization as a whole — and individual stakeholders within it — are getting the most value per dollar invested in IT as possible. Unpack that and you start to see a synergy: Containerization is about efficiency and so is IT governance; containerization is about ensuring best use of limited resources and so is IT governance.

In fact, containerization technologies can and arguably should fold right into existing governance efforts. Regardless of the specific governance model or framework you’re using (e.g., COBIT, MOF, ITIL, etc.) — or even if you’re not using a formalized framework at all — some things are universally true. For example, start with an understanding of the business requirements that stakeholders have, including mapping out the specific services they need, delivering those services in an effective and reliable way and managing those services over time to ensure continuous improvement. Applying these steps in equal measure to containers as well as physical or virtual devices is good practice. It helps organizations manage risk, ensure performance is measured against specific goals and guarantee that specific requirements such as security or performance standards are addressed.

Specializing Governance to Your Environment

How do you accomplish these things? Different circumstances will dictate specifics, but there are a few ways to get started. First, if your organization is already using a governance framework for other aspects of IT, a productive step is to think critically and carefully about how containerization fits in. What’s different about what you need to manage and monitor in the container world? What governance structures need to change to accommodate them? Will policies and procedures need to change to adapt? Asking questions like these with containers in mind will help inform what you need to do next.

If your organization doesn’t use a formalized framework for IT governance, that’s OK. It’s unlikely that you’ll go through a formalization exercise specifically because of Docker, but you can still apply the same underlying concepts. Ask yourself how you will measure performance against goals at the level of an individual container. Do you have tools to do it now? What can you build or buy to help you measure? Do you have a way to create and maintain a service inventory? If so, will it extend to containers? If not, what can you plan now that will help you do that when the time comes? What do you need to do differently to manage security and technical risks once you adopt containerization technology? Do you have a way to find it if it’s adopted in shadow fashion by individual departments or business units?

The value that IT governance provides is directly proportional to complexity; the more complex something becomes, the more valuable it is to have a way to manage that complexity. IT governance and governance frameworks are one way to help do this and may prove to be a valuable tool in your toolbox.

Share this Article:
Ed Moyle

Director, Emerging Business and Technology, ISACA

Ed Moyle is currently Director of Emerging Business and Technology for ISACA. Prior to joining ISACA, Ed was Senior Security Strategist with Savvis and a founding partner of the analyst firm Security Curve. In his 15+ years in information security, Ed has held numerous positions including: Senior Manager with CTG's global security practice, Vice President and Information Security Officer for Merrill Lynch Investment Managers, and Senior Security Analyst with Trintech. Ed is co-author of Cryptographic Libraries for Developers and a frequent contributor to the Information Security industry as author, public speaker, and analyst.