August 14, 2015 By Ed Moyle 4 min read

Application containerization technologies such as Docker and CoreOS’ Rocket are quite literally transforming enterprise IT in many organizations. The “State of Containers 2015 Docker Adoption Survey” from StackEngine found that 70 percent of those they surveyed were either already using or evaluating containerization in their enterprises, and 31 percent were planning on using it in the production environment.

This is pretty striking considering that the 1.0 release of the containerization program just occurred in June 2014. When any technology goes from “not yet released” to “most people are using it” in about a year, it’s pretty clear there’s something going on, and it’s important for technology pros — particularly security professionals — to pay attention.

About Containers

For those that aren’t familiar, containerization technologies allow users to create application packages, or containers, that hold one or more applications as well as any underlying support software (e.g., code libraries, middleware, services, etc.) required for those applications to run. It provides a segmented, sequestered environment for the application while preventing interference of that application with other containers or processes that might be transpiring on the same host. If you remember using chroot or FreeBSD jails to create isolated filesystems, it’s similar, except that it extends to other system resources such as the network stack and process space.

To many, this might sound conceptually similar to OS virtualization. From a usage standpoint, it is similar; unlike OS virtualization, however, the package contains only the minimum amount of bloat necessary for the application to run. Instead of having rack after rack of hypervisors running virtual images all containing redundant, near-identical copies of an underlying OS, you have a portable, relatively small package that’s lean and efficient.

Developers love the portability: They can quickly move the container from environment to environment (from their unit testing platform to QA, for example), meaning they spend less time debugging configuration issues and more time writing business logic. Data center managers love it, too, because the increased efficiency allows for greater density within the data center; more applications can run more efficiently on less hardware.

Docker and Rocket: A Balancing Act

Those benefits are pretty exciting. But from a security and management point of view, there can be some challenges when it comes to containerization at scale. Remember virtual machine (VM) sprawl? Most organizations historically struggled with the proliferation of VMs and the challenges of keeping inventories current, which can complicate compliance activities, slow down incident response and make otherwise routine hygiene activities like patching more difficult. Remember the issues associated with stale VM images? Arguing with auditors about why these images haven’t been patched in the past six months isn’t a conversation most love having.

Consider what happens to these issues when containers enter into the mix. Not only are all the VM issues still there, but they’re now potentially compounded. Inventories that were already difficult to keep current because of VM sprawl might now have to accommodate containers, too; for example, any given VM could contain potentially dozens of individual containers. Issues arising from unexpected migration of VM images might be made significantly worse when the containers running on them can be relocated with a few keystrokes.

Now, this isn’t FUD — I’m not trying to scare you with nightmare scenarios of doom and gloom. Instead, I’m calling these potential issues out to highlight why it can be advantageous to extend existing IT governance structures and concepts into the container world.

Isn’t Governance Too Slow?

There is a misperception out there that IT governance is something slow and unwieldy — something that might be great if you work in a behemoth of an organization or in a shop that’s slow-moving and inflexible, but not something germane to the rest of us. So when discussing application containers, which are all about speeding up application delivery and making deployment more efficient, it might seem like IT governance would be the last thing to put on the table.

However, governance isn’t about slowing things down or introducing unnecessary rigor. It’s instead designed to make sure resources are most efficiently used. The whole point of governance is to ensure that the organization as a whole — and individual stakeholders within it — are getting the most value per dollar invested in IT as possible. Unpack that and you start to see a synergy: Containerization is about efficiency and so is IT governance; containerization is about ensuring best use of limited resources and so is IT governance.

In fact, containerization technologies can and arguably should fold right into existing governance efforts. Regardless of the specific governance model or framework you’re using (e.g., COBIT, MOF, ITIL, etc.) — or even if you’re not using a formalized framework at all — some things are universally true. For example, start with an understanding of the business requirements that stakeholders have, including mapping out the specific services they need, delivering those services in an effective and reliable way and managing those services over time to ensure continuous improvement. Applying these steps in equal measure to containers as well as physical or virtual devices is good practice. It helps organizations manage risk, ensure performance is measured against specific goals and guarantee that specific requirements such as security or performance standards are addressed.

Specializing Governance to Your Environment

How do you accomplish these things? Different circumstances will dictate specifics, but there are a few ways to get started. First, if your organization is already using a governance framework for other aspects of IT, a productive step is to think critically and carefully about how containerization fits in. What’s different about what you need to manage and monitor in the container world? What governance structures need to change to accommodate them? Will policies and procedures need to change to adapt? Asking questions like these with containers in mind will help inform what you need to do next.

If your organization doesn’t use a formalized framework for IT governance, that’s OK. It’s unlikely that you’ll go through a formalization exercise specifically because of Docker, but you can still apply the same underlying concepts. Ask yourself how you will measure performance against goals at the level of an individual container. Do you have tools to do it now? What can you build or buy to help you measure? Do you have a way to create and maintain a service inventory? If so, will it extend to containers? If not, what can you plan now that will help you do that when the time comes? What do you need to do differently to manage security and technical risks once you adopt containerization technology? Do you have a way to find it if it’s adopted in shadow fashion by individual departments or business units?

The value that IT governance provides is directly proportional to complexity; the more complex something becomes, the more valuable it is to have a way to manage that complexity. IT governance and governance frameworks are one way to help do this and may prove to be a valuable tool in your toolbox.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today