We're tackling container security at scale with VMware

Apr 20, 2015



4 min read

For many large organizations, VMware is the gold standard when it comes to running applications in virtual environments. Its technology is secure, integrated with everything and proven to work in enterprise datacenters. So as VMware makes its foray into the world of application containers -- with two new open source projects, no less -- Mesosphere is proud to be an important part of the story.
VMware has announced Project Photon, a lightweight runtime environment for running application containers, including Docker and rkt (formerly Rocket), alongside virtual machines. Among other things, Project Photon is designed to enhance container security by providing increased levels of security and isolation.
VMware is also announcing Project Lightwave, an identity access and management system designed for containers and open sourced. It is based on VMware's existing IAM technology for virtual machines, and as a result contains enterprise-class features. Among them is support for container authentication and authorization, so multiple applications and teams within a company can share resources without the risk of something, or someone, accessing something they shouldn't.
VMware brings security to the container party, and Mesosphere brings scale. Users can deploy our Datacenter Operating System on top of Project Photon, essentially bringing VM-level isolation to containers running on a platform -- DCOS -- that's proven to scale across thousands of physical nodes. Apache Mesos, the core of DCOS, already runs at scale in companies such as Twitter, Netflix and Yelp, and natively supports big data technologies such as Hadoop, Spark and Cassandra.
By integrating Project Lightwave with the Mesosphere DCOS, enterprises can deploy large-scale container workloads and be confident that these workloads are authorized and that the users deploying them have the rights to do so. For example, when datacenter operators install new DCOS services, such as Cassandra or Kafka, they will have to verify their identity and the service itself will have a certificate that authenticates the binary. Everything running on your DCOS will have been authenticated with Lightwave, so you know there is nothing unauthorized running on your system. Lightwave will help prevent employees and intruders from accessing data and applications they don't have access to, or from launching containers in unauthorized manners or locations.
"Just like on my laptop, the programs and files I am allowed to open are governed by my identity. The same is true in the datacenter," said Benjamin Hindman, Chief Architect and Co-Founder at Mesosphere. "The sets of services I run are governed by the policies set by the enterprise. So: when I run commands on the command line, DCOS can be checking my permissions with Lightwave."
Project Lightwave also supports the Kerberos machine-to-machine authentication protocol, which DCOS also supports.
Further, Mesosphere is working with VMware to integrate DCOS with the Open Virtual Network project that was announced in January. OVN is related to Open vSwitch, and will allow for Layer 2 and Layer 3 network virtualization capabilities such as security groups.
The collaboration between Mesosphere and VMware on OVN will eventually allow Mesosphere customers to enact fine-grained isolation at the network level. They'll be able to cordon off sensitive data, services and applications from the rest of the DCOS cluster, and help prevent intruders from who might gain access to a particular container or physical node from going any further.
It's a complicated time in the world of IT: While high-profile security breaches and cyberattacks increase in prevalence, companies want to take advantage of new methods for building, deploying and scaling their applications. We're happy to help them do it without fear they're mortgaging the future of their businesses.

Ready to get started?