Container security considerations for developers
|Richard Harris in Security Monday, October 29, 2018|
Container security thoughts for developers to consider when speed of delivery gets put above safeguarding the application, and how secure service containers can make your life easier by bringing together agility and security.
On the path to a secure digital business, secure service containers bring the best of agility and security to development teams – a growing concern for companies from startups to the Fortune 500. By moving the security concern out of the application layer into an encompassing container platform, one provides a very elegant solution to significantly reduced attack vectors – including the insider threat – while making it easy to protect existing business solutions without disruption. This is the only sensible path forward for businesses that wish to truly address data privacy and security while continuing to innovate at lightning speed.
We recently caught up with Marcel Mitran, CTO for IBM LinuxONE platform and a corporate-wide leader for IBM Systems ecosystem and performance, to chat about developers struggle for speed of delivery, and how sometimes that compromises the integrity of the application's security.
ADM: What is the top challenge developers face amid the pressure to push out apps more quickly?
Mitran: One challenge I see time and time again with development teams is prioritizing deployment over security. We all know that agility is king, but keeping security and data privacy top-of-mind is critical. Without proper focus on security, and ensuring security is built-in from the onset – be it as a start-up, scale-up or Fortune 500 – everyone today is vulnerable to the growing presence of threats – both inside and outside of their companies. The good news is that while the cost of security breaches is increasing – reaching an average cost $3.86 million per global breach,1 a 6.4 percent increase from 2017 – new tools like secure service containers are helping to ease this tension. A win-win for developers and security teams alike.
ADM: How might secure service containers mitigate this challenge?
Mitran: Secure service containers bring the best of agility and security to development teams by protecting the privacy of sensitive company and customer data using unique pervasive container encryption technology while allowing development teams to use cutting-edge cloud-native technologies to deploy new or existing containerized applications. We’re finding that clients that want to move at the speed of business, but are feeling bound by limited resources spread across development and security - the combination of these capabilities has been critical to advance on the path to a secure digital business. Not to mention, leveraging secure service containers helps address key compliance challenges, a significant pain point for today’s CIOs and developers.
ADM: Can agility and security live harmoniously for developers?
Mitran: Absolutely. The way I think about this is creating a hardened and secured encompassing environment with agility built into it. Often, we hear CISOs hyper-focused on only security, while we know dev teams and CIOs are often super focused on agility, which can create a rift within organizations – resulting in a disjointed, inhibited and reactive approach to delivering solutions. By thinking about both concepts as one, secure, agile environment, we’re bringing priorities together in a new way to achieve a common mission. Both parties need to reach across the aisle and work as one team – otherwise, both initiatives fail. As the focus on security and data privacy continues to gain steam across the industry, I only expect the relationships between security and development teams to strengthen across organizations.
ADM: Why is it critical for developers to prioritize security in the development process?
Mitran: Year-over-year, we’re continuing to see growing numbers around security breaches. Consumers and businesses leaders are quickly recognizing that data protection and security are immutable business imperatives. With the introduction of broad regulatory compliance standards like GDPR and the emergence of new privacy focused business models, data governance is quickly becoming the next big disruptor. In addition, most people might not realize is that a majority of breaches (60 percent)2 stem from insider threats, which are incredibly difficult to detect and protect against effectively. Building auditable, integrated and trusted security solutions is an incredibly hard problem to solve – particularly in the context of legacy business solutions. Developers will be inherently and heavily taxed in addressing these concerns.
ADM: How can DevOps aid in this process?
Mitran: Developing and deploying at the speed of business is today’s standard. DevOps best practices – cloud automation, containers and self-service consumption models – have freed developers from mundane and error-prone tasks, allowing them to focus on core competencies and business outcomes. A heightened focus on security can easily represent another impedance to speed if not holistically integrated into DevOps processes. By making security simple and encompassing of application stacks we make it easy to integrate as a repeatable and error-proof process into existing DevOps practices, keeping developers moving fast and un-hindered.
ADM: How do you see the security environment for developers evolving over the next 12-18 months?
Mitran: Today we are seeing security and privacy being addressed through a disjoint collection of solutions that reduce attack vectors in a piece-meal fashion. Monitoring and detection are used where the attack vectors cannot be programmatically addresses (e.g. insider threats). This is creating complex and costly systems that are non-standard, fraught with error, that leave key attack vectors open, while still putting tremendous burden on developers to do the right thing from an application and solution development perspective. By moving the security concern out of the application layer into an encompassing container platform one provides a very elegant solution to significantly reduced attack vectors – including the insider threat – while making it easy to protect existing business solutions without disruption. This is the only sensible path forward for businesses that wish to truly address data privacy and security while continuing to innovate at lightning speed.
Marcel is the CTO for IBM LinuxONE platform and a corporate-wide leader for IBM Systems ecosystem and performance. He actively collaborates with IBM research, academia and development teams to drive innovation in the IBM Systems stack. He works closely with partners, vendors and open source communities bringing best-of-breed solutions to the LinuxONE platform. He also collaborates with clients around the world, helping them succeed with new workload deployments on IBM Systems. With over 40 patents filed with the USPTO, Marcel is an IBM Master Inventor.