Maksim Kabakou - Fotolia

Security Think Tank: Combine SDN, containerisation and encryption to halt rogue code

How can organisations combine software-defined networking, containerisation and encryption to prevent rogue code from running freely across a corporate network?

The notion of compartmentalising data, systems, memory spaces and connections is far from new. Nonetheless, in the face of growing cyber security challenges and external pressures, the need to implement measures that deliver aspects of isolation and air gapping to the IT estate – be that physical or in the form of software abstraction layers – is of paramount importance in the face of internal and external threats and cyber risk factors.

Central to this approach is the use of containerisation. Again, this is something that is not new or revolutionary, but rather an approach that has been overlooked for some time in favour of conventional virtualisation. However, in recent years we have seen containerisation used by everything from Netflix to Google to scale operations, secure data and systems and overcome many of the bottlenecks associated with hardware virtualisation. It is evidence that containerisation can no longer be ignored from an IT perspective.

IT containerisation can best be compared to a physical shipping container, just like the ones you see in ports, on ships and on lorries all around the world. These containers have one thing in common in all these environments: they are uniform. This applies to shape, size, mounting points, crane hooks and everything else.

This is possible because worldwide agreements have been made with suppliers and logistics parties on a standard for everyone. As a result, a physical container can be transported by ships, trains and trucks irrespective of location, brand and model of vehicle. It is effectively platform-independent. This enables considerably more containers to be placed on a ship in comparison to a situation where there would be various sizes and interconnects.

Standardisation is therefore key – this carries over into the world of digital containerisation as well.

Improved performance, stability and standardisation

An application in a container doesn’t require a guest operating system (OS) or hypervisor like a virtual server does. Rather, it allows an application to run in the OS user space – outside of the higher-risk OS kernel, critical processes and memory space. It is not a suitable approach for all applications and data, but where it is, the approach can offer improvements in performance, stability and standardisation.

One of the best-known names in the field of IT containerisation is Docker. As an organisation, it is one of the founders of the containerisation phenomenon we now see in the sector. Docker is often used as a collective name for containerisation, much like Google is for internet searching. Docker is software with which you create a “lightweight” container. In addition, various “mechanisms” are used to import, extract and encrypt software. The resulting software container is not only compact, but also platform- and hardware-independent, which contributes to a high degree of portability, scalability and optimal resource use.

With the right tooling, containers can be implemented automatically in workflows, while also encrypting the relevant data. Containers can also provide permanent and structural change in a cloud landscape where data is continuously shipped to and from the cloud, itself presenting a point of weakness and in-flight attack.

All this is only possible if everyone adheres to shared standards. The success of containerisation stands or falls based on the success of common adoption. In this way, organisations can combine their use of software-defined networking (SDN), containerisation and encryption to prevent rogue code from running freely across a corporate network in an undefended state.

This software abstraction approach, which we have used in enterprise and carrier environments for many years with SDN, can effectively make the hardware a transparent commodity. With this we reduce the risk that the hardware can be a single point of security failure or a gateway to applications and data.

If the software layer is properly abstracted and encrypted, an intrusion theoretically has nowhere to go beyond the generic hardware and the physical network layer.

Read more on Hackers and cybercrime prevention

Data Center
Data Management