The unique design of Red Hat's Linux-based Container technology, OpenShift, addresses many of the security concerns that have previously troubled financial services companies, enabling them to more fully explore the functionality of the technology. Containers allow users to easily package an application into a single ‘image' that can be promoted from development to production without change. By providing consistency across environments and multiple deployment targets (such as physical servers, virtual machines and private or public clouds) teams can more easily develop and manage applications that deliver business value.
This is particularly appealing to companies in the financial services industry where customers are demanding faster access to applications and the ability to conduct more of their financial business virtually. Security remains the number one priority for both financial institutions and their customers, though, and our container solution addresses some of the key elements of essential security such as improving security of the container platform itself, and the images that are consumed by this platform.
In the past, application development was plagued by what we refer to as verticalised applications, where there was application specific code at all levels of the stack, from the data tier at the metal right up to the UI itself. Red Hat OpenShift delivers an application as a currency that can be distributed anywhere where containers can be hosted.
When users start up applications, they reach down into the operating system and require specific versions of the platform and the database. With our technology this is all abstracted into the container. Red Hat OpenShift restricts many of the vulnerabilities that might have been exploited on Docker or Kubernetes, introducing ‘military level' security features and sandboxing every aspect of the containers in a highly configurable way. This makes the container technology itself more complex to implement which benefits the end users by simplifying the application, and once they are up and running they can be immutable aside from data. This is facilitated by the operating system that underpins the czontainer orchestration and provides added security.
RHEL
Red Hat Enterprise Linux is comprised of a number of objects and processes to which rules can be applied through the use of a technology called SELinux (Security-Enhanced Linux), which provides control over denying or allowing capability, which then helps protect the host system on which the containers run.
We also have a process called MCS (multi-category security) that allows for sub-rules to be set up that are specific within a process, allowing sub-labeling of these processes to control and deny access from container to container.
In addition, we use a Linux kernel feature that enables resource control for the container, limiting its access to resources on the operating system. This is important because without controls the container could consume all the resources of the host on which it is running (the classic 'noisy neighbour' scenario).
Namespace Controls
A crucial element of Red Hat OpenShift security features is the use of the underlying Linux 'Namespaces', which control exactly what the container can do by using the PID namespaces and network namespaces within the operating system (namespaces are a feature of the Linux kernel that isolates and virtualises system resources for a collection of processes).
RHEL Atomic Host
One of the most interesting aspects of our container security strategy is the use of Red Hat Enterprise Linux Atomic Host, which is essentially a stripped-down version of the operating system designed to run Containers. Combined with OpenShift and the Kubernetes project to which Red Hat contributes – which has a very strict enforcement policy for how an application is deployed in terms of replicas (the number of copies to run) and where the containers are deployed – this creates a highly efficient and more secure container orchestration system.
OpenSCAP
Another useful feature is the ability to use OpenSCAP to scan container images for security issues. OpenSCAP is a open-source standardised compliance checking solution that checks system configuration settings and examines systems for signs of compromise by using rules based on standards, specifications and exploit profiles.
Most financial services institutions have a public facing side to their business and they are realising that containers are easier to secure and control and the infrastructure on which they run is much tighter. This offers the prospect of improved application security and data. The concept of moving to a containerised system presents a significant opportunity for many financial services institutions running hundreds or even thousands of different machines and applications because they can get a single view of every application. Rather than running each application on a separate virtual machine, they can run them on containers on appropriately hardened hosts, providing massive multi-tenancy and much better efficiency of host usage as well.
Deploying and running containers more securely is a lot like securing any running process. You need to think about security throughout the layers of the solution stack before you deploy and run your container as well as throughout the application and container life cycle. Of course, a Container platform also needs to provide an experience that works for developers and operations teams. Red Hat OpenShift is about hosting applications properly, making it easier to write and manage them. This can reduce costs because operations teams are no longer firefighting – they have a single point of control and security access.
The technology addresses most of the day to day issues faced by developers that kept them away from developing. In the past, the majority of the code written was boilerplate, setting up security features, high availability, service discovery, etc. Red Hat OpenShift abstracts these concepts away from the application, enabling developers to focus on functionality, which in turn moves the configuration for the application away from the application codebase, allowing the operations teams the abstracted level of control they never had with verticalised applications.
Please use the comments section below to share your thoughts and let us know how we can work together to make your adoption of Containers more secure and simplified.
저자 소개
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.