Uncategorized

HyperCloud™ Delivers 5 Layers of Security for your Containerized Applications

December 2, 2016

HyperGrid recently announced the availability of HyperCloud™, a hybrid cloud service that offers application, platform and infrastructure services to accelerate transformation and delivery of business applications. HyperCloud™ provides a full scale-out application platform to your datacenter as a service, delivering true cloud agility and economics inside your own datacenter.

One of the key benefits of HyperCloud™ is the ability to modernize existing legacy applications without making a single code change and using the existing skill sets within your organization. The on-the-fly containerization capabilities allow users to “lift and shift” existing Java and .NET applications to containers while taking care of the complex application dependencies, automatic service discovery, auto-scaling and integration with any external service (e.g., storage, networking, logging, etc.).

Organizations that are looking to run mission-critical applications on containers will undoubtedly have concerns about network and security, among other aspects that are needed to run applications in production. Here are some common questions that IT and Network Administrators may have.

  • How do we provision, secure and manage the required network interfaces for containers?
  • With the increased density by which containers are deployed on hosts (servers), how do we avoid the “noisy neighbor” problem as containers fight for resources on the underlying machines?
  • How can we ensure that only secured images from trusted sources are used across the organization?
  • How do we prevent unauthorized binaries from getting executed at runtime inside the containers?
  • How do we secure communication paths across different layers of our deployed applications for data loss prevention?
  • How do we ensure that containers run with the minimum privileges and resources needed to function effectively to minimize the risk of denial of service attacks?
  • How do we entitle users to use networks and storage volumes created specifically for their workloads?

HyperForm, the core DevOps and Cloud Automation engine in HyperCloud™, addresses these challenges and enables consistent deployment, security policy enforcement, visibility, and governance for all applications, running on premises or in the cloud. The platform’s self-service portal enables users to create software-defined network and storage on-demand to support application deployment on any infrastructure.

The 5-layers of security provided by HyperForm ensures the security of applications – from fine-grained access control that enforces role-based access privileges at the container level to network isolation and segmentation to secure multi-tier applications across different environments.

  • Trusted Sources – Granular entitlements can be applied to application templates to ensure that only trusted images that are free from vulnerabilities and malicious behavior can be used from development to production.
  • Binary Execution Control – HyperForm allows administrators to enforce a “blacklist” policy to ensure that certain commands are not executed inside containers from within the in-browser terminal. Moreover, the plug-ins framework, which facilitates controlled container updates post-provision, provides granular entitlements to ensure that only standardized, IT-blessed updates can be applied to applications.
  • Network Isolation & Segmentation – HyperForm provides on-demand network security that is governed by granular entitlements and access controls.
    • Network Isolation – Isolated overlay networks can be created as part of the creation of clusters or development environments to provide a secure communication path between containers.
    • Network Segmentation – Network segmentation is achieved by allowing users to create networks that secure communication between containers. This allows users to create segmentation between the application layers. For example, in a 3-tier application, a user can prevent the web server from communicating with the database by creating two isolated networks, one attached to the web server and the other to the database. Both networks in this case would be attached to the application server to facilitate multi-tier application segmentation.
    • On-Demand Network Creation – Network Blueprints can be published to the service library to enable the automated, self-service creation of networks.
    • Granular Entitlements – Entitlements can be applied to Networks to ensure that only entitled users are able to attach their containers to already existing networks.
    • Alerts – Users can be notified about unauthorized attempts to attach a container to an un-entitled networks via network violation alerts.
  • Default Network Security – HyperForm provides default network security by creating new networks for new application deployments that do not have pre-configured networks. This eliminates the threat of external attacks that take advantage of network vulnerabilities.
  • Least Privilege & “Noisy Neighbor” Control – Advanced controls can be applied to container clusters to ensure that containers run with the minimum privileges needed to function effectively and that resource utilization limits (e.g. CPU and Memory) can be applied to any containerized workloads running in the cluster. Approval policies can be applied to both container runtime privileges and resource constraints.
    • Runtime Privileges: Cluster Admins can apply approval policies on container privileges like cap-add and privileged in order to control containers requiring access to all devices on the host or the ability to add Linux capabilities.
    • Runtime Constraints on Resources: Cluster Admins can define the default limits on the number of containers allowed per application deployment and the amount of CPU and Memory that containers can consume. For container deployments that exceed the pre-defined thresholds, approval workflows are triggered to allow Cluster Admins to approve deployment requests on a case by case basis.

 

5-layer-pic

 

While containers have been the driving force behind efforts to accelerate software development, existing management platforms are still lacking the features needed to enable IT to manage containers and the underlying infrastructure, from on-premises datacenters to public clouds. IT can often struggle with providing the security, networking, quota policies and access controls needed to ensure that developers are deploying standardized applications in the right environment and under the right governance policies.

HyperForm, the core DevOps and Cloud Automation engine in HyperCloud™, addresses these challenges and provides 5-layers of security to ensure the security of applications.

Sign up for HyperForm SaaS or download HyperForm On-Premises to get access to security features that can protect your applications from denial of service attacks and data loss.

 

Amjad Afanah

VP of Product at HyperGrid. Previously the co-founder & CEO of DCHQ, which is now HyperCloud™ Portal, the management console of HyperCloud™, providing integrated compute, storage, networking, application and container services in a full-stack offering that is delivered on premises and on a pay-as-you-go consumption model. The self-service library in HyperCloud enables self-provisioning of infrastructure, storage, network, container, and application services on HyperCloud™ as well as 15 other clouds and virtualization platforms – like VMware vSphere, OpenStack, Microsoft Hyper-V, Amazon Web Services, Microsoft Azure and others.

Prior to founding DCHQ, he was a senior product manager at VMware, where he managed strategic products in cloud management & automation for almost 3 years. He also assumed a product management role for 5 years at Oracle where he focused on application and middleware management capabilities. He holds a bachelors degree in computer science from MIT and an MBA degree from UCLA.

Latest posts by Amjad Afanah

Get cloud insights, sent weekly

Subscribe to our blog and get weekly insights on cloud and cloud management.