IT Briefcase Exclusive Interview: As Container Adoption Swells, So Do Security Concerns

With Gartner predicting that more than half of new workloads will be deployed into containers during at least one stage of the application lifecycle by 2018, container security strategy has become an increasingly hot topic. While valued for their deployment speed and simplicity, containers remain relatively ripe to malicious attacks and exploits.

In this Fresh Ink IT Briefcase segment, we talk to NeuVector CEO Fei Huang about the most pressing container security concerns and strategies to mitigate them.

• Q. As the rapid adoption of containers continues, what are the major security issues for enterprises when containers become part of the IT strategy?

A. There are an increasing number of security concerns that arise from the use of containers. The most critical are those for containers that running in production, because it’s really been difficult to monitor running containers and detect if there are attacks against them. Containers and a microservices-based architecture generate a ton more internal, east-west traffic – and these connections bypass traditional security tools such as firewalls and security groups.

The rapid release cycles of the new DevOps workflow also make it difficult for security teams to keep up, and it’s not acceptable to an enterprise to slow down releases due to security concerns. New container-intelligent strategies and tools are increasingly required to secure modern applications during run-time.

• Q. Where does Docker do security right, and what are its limitations?

A. Docker has greatly improved the security of its core platform and engine, as well as its enterprise tools such as Docker Datacenter and Swarm. This means that images in registries can now be scanned for vulnerabilities automatically, access controls to containers can be enforced, and container secrets are better protected.

However, Docker is a platform company, not a security company. So it really can’t be expected to develop the sophisticated application and network security tools that the security industry typically provides. Detection of threats and new zero-day attacks really demand the constant attention and vigilance of a dedicated security vendor. Not all enterprises will use Docker’s enterprise tools (such as Swarm), so security features need to work regardless of the orchestration and management platform or cloud provider used.

• Q. How is NeuVector different from other container security approaches in the market?

A. NeuVector is the only container security container with deep application-layer intelligence built into real-time network packet inspection and enforcement. Think of NeuVector as a distributed, Layer 7 (deep packet inspection) firewall for containers that’s zero-configuration for detecting violations. Add to that host security for detecting exploits and scanning to detect container vulnerabilities, and enterprises now have a complete runtime security solution for containers. Our founding team has combined experience in networking, security, and virtualization to develop unique technology to secure container networks. It’s an industry we know well, and saw an unmet need.

• Q. How does NeuVector’s real-time policy enforcement and distributed intelligence help secure containers?

A. The built-in intelligence means that false positives are eliminated through a whitelist-based policy. This is enforced – in real-time at the network layer – so that it is as accurate, fast, and non-intrusive to running containers as possible. It is also scalable, so no manual updates are required as containers scale up or down (even across hosts or clouds). Other solutions use sampling or other techniques to mimic real-time enforcement but are either cumbersome to configure or not as accurate as NeuVector. NeuVector works quickly and is lightweight, and the processing is distributed across all hosts so application workloads are not affected.

• Q. What kinds of companies are using NeuVector? What’s a use case look like?

A. The types of companies using containers in production are those that benefit from rapid deployment cycles to deliver better features to their customers. These include internet SaaS companies, consumer-facing banks, automotive firms, and retailers with a large online presence. Internet businesses are typically already in production with containers and as they grow and mature they realize they need better visibility and control of their containers, from a security perspective.

Simple host and kernel security and manually configured rules might have been acceptable in the past, but as the risk of attacks grows and the business impact becomes more critical, they realize dedicated security tools are needed. Banks and other enterprises with mature deployments are planning their migration to containers and realize there’s a gap in network visibility and security for container networks.

About Fei Huang

Fei Huang is the CEO of NeuVector, a container security solution. He has over 20 years of experience in enterprise security, virtualization, cloud and embedded software. He has held engineering management positions at VMware, CloudVolumes, and Trend Micro and was the co-founder of DLP security company Provilla. Fei holds several patents for security, virtualization and software architecture.