Podcast: Containers, Kubernetes, data protection and compliance

In this podcast we look at containers – as deployed via Kubernetes, for example – and how storage and backup of container-generated data impacts compliance, with Mathieu Gorge, CEO of Vigitrust.

We talk about the inherent complexity that comes with containers despite their overall advantages in making application workloads portable. The challenge this brings is to make tracking data potentially complex too, and the solution is to somehow manage container-generated data so that you remain compliant.

Gorge also talks about making sure you can demonstrate to regulators that you are in control of data created in containerised environments and that it is secure. The challenge of handling containers and their data is a relatively new one, and Gorge looks forward to forthcoming guidance from standards bodies.

Antony Adshead: What threats to legal and regulatory compliance do storage and backup for containers pose?

Mathieu Gorge: First of all, let’s look at a container and what it is. A container is an application including all its dependencies – the binaries, libraries, configuration files that are needed to run it. All of this is put together in a single package that can be moved in its entirety from one computing environment to another, including the cloud.

There are definite advantages, in that you can use different types of containers for different types of data, such as financial data, data pertaining to credit card holder information, or protected health information.

The challenge with all this is that you are essentially creating mini data spaces, and keeping track of where those data spaces are is paramount, otherwise you are defeating the purpose of isolating data by type, matching your data classification for instance which is something that you should be doing.

But in the end, you have a more complex environment. At RSA in San Francisco this year, there was a lot of talk about containers – about the difference between containers and virtualisation, as well as the similarities, because essentially it can be seen as the same thing except the virtualisation is a whole machine whereas the container is a data space.

But we also see a lot of talk about the dangers, [such as] making sure you keep track of where your data is located and you can apply the right backups and the right compliance frameworks to secure that data.

Adshead: What are the implications of these threats for storage and backup in particular?

Gorge: The main threat is regulatory, in terms of being able to demonstrate to regulators that you are in control of those containers, you are in control of the data, you know where the data is being moved, you have reason for moving the data, you keep data location totally accurate at all times. Think of GDPR [the EU General Data Protection Regulation] and its basic requirements to keep data accurate and secure at all times – and to do that, you need to know where it is.

You need to invest in technology that allows you to manage the containers and to map out the containers at all times so that if something goes wrong you can isolate the data, or you can back it up and rebuild it, but at no stage do you lose control of the data.

And the way to do that is through training and policies. There are some new technologies out there around container management, specifically in the cloud. In fact, the Cloud Security Alliance has published some very good papers around that, looking at what is a data container and what are the security implications, how do I secure it, how do I keep track of it?

This is kind of new. It’s an area I would highly recommend you watch, and there will be some new publications expected from NIST and other frameworks around container management and container security. I think we need to be aware of that and to put that in the overall security strategy for data compliance and storage.