The update goes by the lengthy name of IBM LinuxONE Secure Service Containers, which also explains much of its mission: securing containers. This includes bolstering the embedded security of Docker Enterprise Edition without a need to change the software.
Mark Figley, director of IBM’s LinuxONE offering, said the company was targeting Docker and Kubernetes as both platforms have become the most popular among enterprises looking to drive down the container path. Figley said a lot of enterprises have not yet moved to more fully embrace containers due to ongoing security concerns.
The IBM platform includes automatic encryption of data both in transit as well as stored; and protection during installation and runtime.
Though not directly related, Docker Inc. last month added EE platform support to IBM’s z Systems on top of the previously supported Windows and Linux environments. The addition allows customers on mainframes to tap a single platform for control over containers without the need to change code.
Figley explained that this week’s update began as work using IBM’s logical partition (LPAR) security product, which is the partitioning of a computer processor’s memory and storage. From there, IBM uses crypto technology and a trusted boot sequence that forces a secure image to be used in firmware.
“We automatically encrypt all data from the beginning so the user has to actively remove security,” Figley said. “This might not be the best fit for all enterprises, but it’s the best fit for those looking for maximum security.”
This level of security is also designed to appease service providers that include the platform into cloud services offered to enterprise customers.
“Only the enterprise can access the data,” Figley said. “Service providers are not given access unless the enterprise grants that access.”
In its attempt to provide maximum security, Figley said IBM uses a proprietary platform, which it views as superior to other products based on open source.
“There’s a lot you can do when you are an integrated and engineered solution from a security standpoint,” Figley said. “Somebody is going to point out that they can piece this together themselves with commodity pieces, and some could to an extent. But only if they do everything right and don’t miss something.”
Figley explained CIOs want to avoid having to rely on the number of steps necessary to hit that level of assurance. Instead, “they want something where they can flip the switch and it’s all secure.”
“Commodity solutions are engineers putting stuff together with tape and bailing wire,” Figley “That’s not really as secure of a posture as a highly engineered solution.”
The IBM platform also looks to ease deployment concerns by removing master control over a system from an individual level.
“The last thing a lot of these enterprises want is to have the keys to the kingdom in the hands of a select few or just one person,” Figley said.
Deployment concerns were echoed by a recent Gartner report, which explained that container security concerns are often due to the deployment method and not necessarily the technology itself.
“Containers are not inherently unsecure, but they are being deployed in an unsecure manner by developers, with little or no involvement from security teams, and little guidance from security architects,” the analyst firm said. “Traditional network and host-based security solutions are blind to containers.”