Using containers and microservices, developers can easily avoid brittle designs that fall apart when a library is up-graded or patched, and gain free scalability in the process. For them, it’s win-win-win.
But for IT managers, containers bring a lot of moving pieces, and much potential for deployment complexity. For example, containers can be “packed” more tightly into servers to use resources more efficiently. But if two dependent services are running on different hosts, they may create network or inter-VM traffic that must be managed and controlled. The whole idea of DevOps — a set of practices that automates processes between the app development and IT teams — shifts some operational responsibilities to the development team, but in the long run, IT managers still have to see the big picture.
Configuration management databases and application inventories have to drill down deeper into application architecture: What services are needed, how do they interact, and what kind of traffic patterns are expected? Prepare to train operations teams as well as developers when shifting to containers.
Container Security Requires Greater Scrutiny
Containers run on hosts, and IT managers already know how to secure hosts. Everything learned over the years about how to secure the underlying hosts for Unix and Windows applications applies here. In fact, there are guidelines available from the Center for Internet Security specific to hosts running containers.
But container images require a new level of scrutiny, because they are invariably built on top of other open-source tools — all of which may have their own security vulnerabilities. An entire supply chain supports each container image built by developers, and there is a risk of introducing nonsecure components into secure hosts without controls and tools to verify the source and security status of the underlying software.
Developers may resist the notion of having IT security sit between their fast-moving development cycle and production deployment, but some type of gatekeeper is critical to maintaining secure operations. Of course, IT managers have to do their part — the security and validity checks must be automated and fast so that any vulnerability is identified quickly and clearly.