• United States




Container security tips for the C-level, from a CISO

Sep 14, 20173 mins

While IT teams and software developers are more familiar with the fundamentals and benefits of containers, C-level executives often don’t have as much visibility into the value they provide.

Internet of Things city superimposed on padlock
Credit: Thinkstock

Container security has been gaining steam over the last few years. Many enterprises are experimenting with containers, and a recent 451 report showed that 25 percent of companies have already implemented the technology. While IT teams and software developers are more familiar with the fundamentals and benefits of containers, C-level executives often don’t have as much visibility into the value they provide.

Understand that you’re probably already using them

With open source roots, lots of flexibility, and an ability to make developers’ day to day jobs easier, containers often grow organically within an organization. Even if you don’t officially support them today, there’s a good chance you have individuals and even whole teams already using them, and may even be using them in sophisticated ways as part of important business processes. Don’t drive the adoption underground with heavy handed mandates, telling people which tools they should use to do their best work. You should instead bring them into the light with examples of people who use them correctly. Take a ‘guardrails and traffic cameras’ approach to giving teams some wide definitions of how to best use them and monitor how they’re actually using them, but don’t put stop signs in the way of something pretty difficult to prevent anyway.

Containers are probably not going to replace VMs

While there are many breathless articles about containers “killing” VMs, the reality is that the two are largely complementary technologies. Most organizations, even those that embrace containers heavily, are likely to still run them within VMs. They’re different tools that solve different problems and you shouldn’t look at them as an either / or question. You’ll use VMs to virtualize and compartmentalize your hardware, and use containers to do the same for your operating systems. For example, VMs provide strong security boundaries, so many organizations will use them to segregate workloads by sensitivity level, while using containers to run apps of the same sensitivity level within that VM.

Containers require a culture shift for people and processes

The most important thing for organizations adopting containers isn’t technical – it’s about people and processes. Containers bring great advantages in velocity, efficiency, and even security. But, to reap these benefits, an organization must evolve its operational practices to focus on automation, repeatability, and ‘infrastructure as code’. If deploying a new VM involves a human being, you’re already behind the curve and won’t really feel the advantage of containers.

Before focusing on the technology part, you need to figure out how to align your teams to have closer cooperation between DevOps and security. You’ll need to automate all manual touch points you currently have in provisioning and operational workflows. If you’re doing a process more than once, you’ll also need to establish a template that can do it identically the next 10,000 times. The organizations that embrace these operational changes are the ones that will reap the most rewards from containers.


John Morello is the Chief Technology Officer at Twistlock. As CTO, John leads the work with strategic customers and partners and drives the product roadmap. Prior to Twistlock, John was the CISO of Albemarle, a Fortune 500 global chemical company. Before that, John spent 14 years at Microsoft, in both Microsoft Consulting Services and product teams. He ran feature teams that shipped security technologies in Windows, Azure, and Office 365 and served as the Lead Architect of the hybrid cloud consulting team for the Americas.

John lives in Louisiana with his wife and two young sons. A passionate fisherman and scuba diver, he also serves as Chairman of the Coalition to Restore Coastal Louisiana.

The opinions expressed in this blog are those of John Morello and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.