How Grafeas bolsters Linux container security

Many in the IT industry are calling 2018 the year of the Linux container, with Kubernetes as the container orchestrator. Linux containers have broad appeal for enterprises because they make it easier to ensure consistency across environments and multiple deployment targets such as physical servers, virtual machines (VMs), and private or public clouds.

As an extension of the operating system, specifically the Linux kernel, Linux containers are built from a runtime and format and then orchestrated with network and storage resources across clusters of hosts, most commonly with Kubernetes.

The end result is a set of lightweight, dynamic, and secure application services, each self-contained inside a Linux container and able to run by themselves or in conjunction with other containerized applications to create a more flexible, yet complex, enterprise application.

Linux container-based applications represent a clear path toward the enterprise of the future, but one key issue remains: Despite their open-source nature, Linux containers are surprisingly opaque. This means that it can be difficult to determine a range of attributes, from who made the container to what software is included to whether or not a container has any known vulnerabilities within it.

Here's how to secure your Linux containers with new tools.

Multicloud Monitoring: How to Ensure Success the First Time

The container security challenge

Securing containers is a lot like securing any running process. You need to think about security throughout the layers of the stack before you deploy and run your container. You also need to think about security throughout the application and container lifecycle.

We’re starting to see a situation similar to what happened about 10 years ago in the early days of Linux. People didn’t yet trust open source, so there were a lot of concerns—some real and some imagined—that had to be addressed in order to make open source safe and trustworthy for production workloads.

Today, open source as a technical concept has grown to the point where the majority of technologies you download today are open source. Organizations large and small no longer want to be tied to proprietary software. This evolution is now shifting to Linux containers and orchestration.

While containers inherit many of Linux's security features, you need to consider a few issues before implementing them in mission-critical roles. Enterprises require strong security, and anyone running essential services in containers should ask themselves:

  • Are these containers secure, and can we trust these specific containers with our applications?
  • If I use this service, is there any commercial support behind it? If something doesn't work, who do I turn to?
  • Who do I trust to deliver this software to me, i.e., what is the provenance of this container?
  • How do I know what code is in this piece of software?
  • Can I trust that it does only what its advertised to do?

How Grafeas tackles container security

It’s these variables that Grafeas, a newly launched container metadata and API project, aims to address. Launched by Google in collaboration with JFrog, Red Hat, IBM, Black Duck, Twistlock, Aqua Security, and CoreOS, Grafeas presents a vendor-agnostic, open API for integrations into software build processes, resulting in provenance and auditing improvements.

Building on this metadata store and open API, sister project Kritis was launched to determine an extensible policy execution process that can automate the enforcement of this metadata analysis on Kubernetes.

With Grafeas, organizations will be able to evolve container signing into robust criteria suited for on-premises and public cloud deployments of API-centric microservices or modernized complex applications. With both projects, organizations can take that further and offer pluggable layers of verification and challenges, delegations to trusted scanning services, and a facility to help stop incidents before they happen, all while limiting interruptions to application delivery.

By more deeply understanding what’s inside a container with Grafeas, security policies can be automated based on that information, and with Kritis, users can define the actions that they would like their orchestration platform (in this case, Kubernetes) to take on their behalf. This gives IT organizations more control over both their containers and their orchestration platforms, bringing the emerging innovation of containers in line with existing security and compliance policies.

Of course, the implementation of Linux containers is not just about security. Your container platform needs to provide an experience that works for your developers and your operations team. You need a secure, enterprise-grade container-based application platform that enables both developers and operators, without compromising the functions needed by each team, while also improving operational efficiency and infrastructure utilization.

Security has to become an integral part of the workflows, the automation executing them, and the platform on which they live. This process is often called DevSecOps.

Get ready for DevSecOps

According to Gartner, by 2019, more than 70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components and commercial packages, up from less than 10% in 2016.

DevSecOps is not so much about using specific tools and processes, though. It’s about combining a DevOps mindset with shared ownership of security, managed collaboratively. Container platforms that bring together the necessary automation, scanning, workflow, developer tooling, and management certainly simplify integration and maintenance going forward.

However, it's equally important to develop a mindset and build a DevSecOps culture with continuous security that replaces multi-month patch cycles and periodic audits. As we progress into the year of the Linux container, security will become one with DevOps.