View From Navigation Bridge To A Large Wave Crashing Into Bow Of Container Ship In The Stormy Sea.

Containers, Churn and A Changed Attack Surface

Microservices and containers have recently seen tremendous widespread adoption, as evidenced by the near tripling of the crowd attending KubeCon Austin in December. Enterprises are seeking the business benefits of rapid application innovation, while at the same time having to navigate a changed attack surface. Cloud native applications have more moving parts with new security implications, particularly around East-West network traffic and the potential for lateral movement. The containers and microservices that comprise a cloud native application architecture are dynamic and create a different attack surface. Containerized architectures have exponentially greater network churn when compared to traditional or VM-based architectures, and that churn is driven by two factors: container proliferation and container lifespan.

  • Container Proliferation: Monolithic and VM-based applications are relatively stable with few instances to protect while containerized applications use an order of magnitude more instances. A recent survey of Docker deployments showed a median of ten containers per host, however some users went up to 95 containers per host. Ten containers per host means 10X the number of instances that IT security needs to watch compared to a monolithic application.  
  • Container Lifespan: Containers and microservices-based applications running in containers are dynamic and usually ephemeral. For organizations running Docker, the typical lifetime of a container is less than a day. Compare that to traditional and cloud-based VMs that have an average lifespan of 23 days.  This translates into around 25X shorter lifespan.  

When you combine 10X instances with a 25X shorter lifespan, you get 250X more network churn – which means 250x the number of workloads being created, IP addresses being dynamically assigned and advertised, workloads being destroyed and IP addresses being recycled.  

Traditional security solutions that grew up with less dynamic VM infrastructure struggle to adapt to this dramatically more dynamic and demanding environment.  IT Security shops strive to protect this new attack surface by controlling against lateral movement as well as dynamically enforcing policy to meet security and compliance mandates. Traditional IT Security approaches of custom automation and manual firewall provisioning were designed for an era before the dynamic requirements of cloud native applications. Tigera CNX was designed from the ground up for this churn and provides container-optimized security built on Zero Trust to defend against lateral movement threats in the cloud native world.