Application containerization technologies such as Docker and CoreOS’ Rocket are quite literally transforming enterprise IT in many organizations. The “State of Containers 2015 Docker Adoption Survey” from StackEngine found that 70 percent of those they surveyed were either already using or evaluating containerization in their enterprises, and 31 percent were planning on using it in the production environment.

This is pretty striking considering that the 1.0 release of the containerization program just occurred in June 2014. When any technology goes from “not yet released” to “most people are using it” in about a year, it’s pretty clear there’s something going on, and it’s important for technology pros — particularly security professionals — to pay attention.

About Containers

For those that aren’t familiar, containerization technologies allow users to create application packages, or containers, that hold one or more applications as well as any underlying support software (e.g., code libraries, middleware, services, etc.) required for those applications to run. It provides a segmented, sequestered environment for the application while preventing interference of that application with other containers or processes that might be transpiring on the same host. If you remember using chroot or FreeBSD jails to create isolated filesystems, it’s similar, except that it extends to other system resources such as the network stack and process space.

To many, this might sound conceptually similar to OS virtualization. From a usage standpoint, it is similar; unlike OS virtualization, however, the package contains only the minimum amount of bloat necessary for the application to run. Instead of having rack after rack of hypervisors running virtual images all containing redundant, near-identical copies of an underlying OS, you have a portable, relatively small package that’s lean and efficient.

Developers love the portability: They can quickly move the container from environment to environment (from their unit testing platform to QA, for example), meaning they spend less time debugging configuration issues and more time writing business logic. Data center managers love it, too, because the increased efficiency allows for greater density within the data center; more applications can run more efficiently on less hardware.

Docker and Rocket: A Balancing Act

Those benefits are pretty exciting. But from a security and management point of view, there can be some challenges when it comes to containerization at scale. Remember virtual machine (VM) sprawl? Most organizations historically struggled with the proliferation of VMs and the challenges of keeping inventories current, which can complicate compliance activities, slow down incident response and make otherwise routine hygiene activities like patching more difficult. Remember the issues associated with stale VM images? Arguing with auditors about why these images haven’t been patched in the past six months isn’t a conversation most love having.

Consider what happens to these issues when containers enter into the mix. Not only are all the VM issues still there, but they’re now potentially compounded. Inventories that were already difficult to keep current because of VM sprawl might now have to accommodate containers, too; for example, any given VM could contain potentially dozens of individual containers. Issues arising from unexpected migration of VM images might be made significantly worse when the containers running on them can be relocated with a few keystrokes.

Now, this isn’t FUD — I’m not trying to scare you with nightmare scenarios of doom and gloom. Instead, I’m calling these potential issues out to highlight why it can be advantageous to extend existing IT governance structures and concepts into the container world.

Isn’t Governance Too Slow?

There is a misperception out there that IT governance is something slow and unwieldy — something that might be great if you work in a behemoth of an organization or in a shop that’s slow-moving and inflexible, but not something germane to the rest of us. So when discussing application containers, which are all about speeding up application delivery and making deployment more efficient, it might seem like IT governance would be the last thing to put on the table.

However, governance isn’t about slowing things down or introducing unnecessary rigor. It’s instead designed to make sure resources are most efficiently used. The whole point of governance is to ensure that the organization as a whole — and individual stakeholders within it — are getting the most value per dollar invested in IT as possible. Unpack that and you start to see a synergy: Containerization is about efficiency and so is IT governance; containerization is about ensuring best use of limited resources and so is IT governance.

In fact, containerization technologies can and arguably should fold right into existing governance efforts. Regardless of the specific governance model or framework you’re using (e.g., COBIT, MOF, ITIL, etc.) — or even if you’re not using a formalized framework at all — some things are universally true. For example, start with an understanding of the business requirements that stakeholders have, including mapping out the specific services they need, delivering those services in an effective and reliable way and managing those services over time to ensure continuous improvement. Applying these steps in equal measure to containers as well as physical or virtual devices is good practice. It helps organizations manage risk, ensure performance is measured against specific goals and guarantee that specific requirements such as security or performance standards are addressed.

Specializing Governance to Your Environment

How do you accomplish these things? Different circumstances will dictate specifics, but there are a few ways to get started. First, if your organization is already using a governance framework for other aspects of IT, a productive step is to think critically and carefully about how containerization fits in. What’s different about what you need to manage and monitor in the container world? What governance structures need to change to accommodate them? Will policies and procedures need to change to adapt? Asking questions like these with containers in mind will help inform what you need to do next.

If your organization doesn’t use a formalized framework for IT governance, that’s OK. It’s unlikely that you’ll go through a formalization exercise specifically because of Docker, but you can still apply the same underlying concepts. Ask yourself how you will measure performance against goals at the level of an individual container. Do you have tools to do it now? What can you build or buy to help you measure? Do you have a way to create and maintain a service inventory? If so, will it extend to containers? If not, what can you plan now that will help you do that when the time comes? What do you need to do differently to manage security and technical risks once you adopt containerization technology? Do you have a way to find it if it’s adopted in shadow fashion by individual departments or business units?

The value that IT governance provides is directly proportional to complexity; the more complex something becomes, the more valuable it is to have a way to manage that complexity. IT governance and governance frameworks are one way to help do this and may prove to be a valuable tool in your toolbox.

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read