Google, IBM Partner to Tighten Container Security
Among the ways proposed to secure application containers and micro-services as they proliferate in datacenters is more rigorous oversight of the software supply chain.
With those security considerations in mind, Google, IBM and a host of infrastructure partners said this week they are collaborating to address the security challenges faced by developers as micro-services go mainstream and the pace of software updates compresses from months to hours.
The partners said Thursday (Oct. 12) they are launching an open source project called Grafeas designed as "a central, structured knowledge base of the critical metadata [needed] to govern your software supply chain." The effort addresses the inherent security raised by the replacement of hardware delivering quarterly software updates to continuous delivery via ephemeral containers.
"Software development today is more rapid, more distributed and more dynamic," Jason McGee, vice president of IBM Cloud Platform, stressed in a blog post announcing the open source release of the Grafeas project. "However, these changes do not eliminate the need to understand and control the software supply chain: You still need to know who built what."
Other members of the open source effort include Aqua Security, Black Duck Software, CoreOS, JFrog, Red Hat (NYSE: RHT) and TwistLock
Google describes the project as an open source API designed to audit and govern the software supply chain.
In launching Grafeas ("scribe" in Greek), Google also said it is releasing a "policy engine" based on its Kubernetes container orchestrator called Kritis. The tool is designed to help developers "enforce more secure software supply chain policies," Google engineers noted in a separate post. It also provides a real-time enforcement capability for container properties when Kubernetes clusters are deployed, including container image properties, Google (NASDAQ: GOOGL) said.
The collaborators noted that the complexity of securing the software supply chain is getting tougher as the pace quickens for enterprise deployment of hybrid cloud. Developers "find it hard to maintain 360-degree visibility into operations across such diverse environments," Google noted.
In addition, the shift to micro-services and ephemeral containers is making it harder to keep track of all pieces while synching more moving parts. "As a result, organizations generate vast quantities of metadata, all in different formats from different vendors and are stored in many different places," Google noted. "Without uniform metadata schemas or a central source of truth, CIOs struggle to govern their software supply chains."
Among other things, Grafeas is designed to store metadata based on unique code identifiers such as a container image digest. That allows component metadata from many repositories to be stored.
IBM (NYSE: IBM) plans to deliver Grafeas and Kristis as part of its container service. Meanwhile, Red Hat said it would use the tools to boost security and automation features on OpenShift. Red Hat previously announced a partnership with Black Duck to run secure applications on Red Hat's Linux containers.
CoreOS will look to integrate Grafeas with its enterprise Kubernetes platform Tectonic, particularly for container image security.