posted

0 Comments

This post was co-authored by Guido Appenzeller, CTSO of Networking and Security (@appenz), and Scott Lowe, Engineering DockerArchitect, Networking and Security Business Unit (@scott_lowe)

In today’s business environment, companies are being asked to go faster than ever before: faster time to market, faster response to customers, faster reactions to market shifts. Having a good idea isn’t enough; companies not only need to have a good idea, but they need get it to market fast, and quickly iterate on improvements to that idea. Speed is a competitive advantage.

The phenomenal success of the open source Docker project is a reflection of the pressure on companies to go faster. Companies across all industries have recognized that successful development teams can be a competitive differentiator. However, developers needed a way to simplify and accelerate the development and deployment of applications and code, and found Docker was one way to help accomplish that. Docker has won a place in the hearts and minds of many developers for its ability to help simplify the development and deployment of many different types of applications.

At the same time, companies face a bewildering array of security threats. Security and compliance remain as important as ever, if not more important. Yes, companies need to go faster—but they need to do it safely. Data must be safeguarded. Customer privacy must be maintained. Code confidentiality must be ensured. IT needs controls to protect the company’s assets, but it needs those controls to be able to move at the new speed of business: faster. Unfortunately, traditional controls typically can’t move fast enough, and this often results in friction between IT (who wants/needs to move more slowly in order to ensure the proper controls are in place) and the business (who wants/needs to move more quickly in order to keep up the pace of the market).

Here at VMware, what we’ve observed in our discussions with customers is something that, at first glance, appears to be something of a paradox. While it appears that IT controls are in opposition to allowing companies to move faster, the reality is that the right controls enable greater speed. When organizations have security controls that were expressly designed to operate at the scale and speed that businesses require, this friction between IT and the business goes away. The business is able to accelerate, confident in the fact that the security and integrity of their systems is properly safeguarded.

This is where Docker and VMware are jointly attacking the problem of providing the right security controls. Docker is approaching this from the perspective of enabling powerful networking and security functionality within the Docker Engine via the release of libnetwork. (More information about libnetwork is available in the libnetwork GitHub repository.) VMware is leveraging libnetwork to bring microsegmentation using strong, policy-driven stateful firewalling to Docker container environments via VMware NSX.

Until the release of VMware NSX, microsegmentation was a dream that simply wasn’t operationally feasible. Through the application of network virtualization technologies, VMware NSX makes true microsegmentation available to organizations of every size. It’s possible now to truly provide stateful firewalling for every workload in the data center. Using a policy-driven approach ensures security policies are automatically applied at scale. Organizations now have controls that can move at the new speed of business.

Until the release of libnetwork, companies that wanted to bring advanced networking and security functionality to Docker environments were limited in what they could do. Through libnetwork’s pluggable architecture, networking and security partners can bring new features and new functionality to Docker environments without compromising the simplified user experience that drew so many developers to Docker in the first place.

This is why VMware is excited about the work that Docker is doing with libnetwork. Libnetwork enables networking and security partners like VMware to apply our microsegmentation technologies to microservice architectures built using Docker. Through the integration of network virtualization via libnetwork, customers will have the ability to apply strong, stateful firewalling to containers and VMs alike. Initially this integration will come through VMware’s ongoing support of the open source Open vSwitch project and the related Open Virtual Network (OVN) effort.

VMware NSX enables microsegmentation. Microsegmentation enables strong, granular security controls. Docker enables streamlined microservice architectures. And libnetwork enables VMware NSX’s strong microsegmentation to integrate with Docker’s microservice architectures.

With the combination of Docker, libnetwork, and VMware NSX, developers gain the ability to adopt technologies like Docker to speed their development and deployment processes, and IT is able to continue to apply the necessary security controls to protect valuable intellectual property and customer data without slowing things down. One might say it’s the best of both worlds.