To containerize or not to containerize? That is “the question” when it comes to cloud-based applications.
To discuss cloud application security and maintainability best practices and lessons learned, Jeff Schlauder, Founder at Catalina Worldwide LLC, joined a recent episode of The Virtual CISO Podcast. The show is hosted by John Verry, Pivot Point Security CISO and Managing Partner.
Containers are the way to go
As AWS specialists, Jeff’s team containerizes nearly every application they build. He acknowledges that some people believe that containers introduce complexity. But containers done right can bring a higher level of uniformity and consistency.
The containerization process can also shake out early warning indicators of vulnerabilities that are easier to correct early on. Jeff also notes that containers help make the application environment more scalable.
“When you containerize, your infrastructure becomes code and it’s easier to workflow automate everything,” adds John.
Are containers really harder?
Looking at AWS and all its built-in features for containers, such as the Elastic Container Registry (ECR), once you have instantiated a process, containers are straightforward to spin up.
“One of the misconceptions is that containers are more complicated,” says Jeff. “But once you have a process in place for how you’re going to build them, the deployment, the management, the visibility into what’s actually going to be in production and how it will run… the scalability… It’s actually harder to do that when you’re not in a container than when you are.”
Jeff notes that he frequently shows clients operationally how containers work in AWS to help them “get their head around what choice should I make here.”
“Like, let’s go look at ECR and see now that you have your container registered, what capabilities does that give you within AWS that you wouldn’t otherwise have?” describes Jeff.
ECS versus Kubernetes
For AWS users, is Kubernetes a viable containerization choice, versus Amazon’s built-in Elastic Container Service (ECS)?
“It really depends on who’s going to be managing it,” states Jeff. “There’s no doubt—in my mind, anyway—that based on our experience ECS is easier to wrap your head around. It’s easier to learn and manage. Kubernetes is just a bigger beast, right? The payoff is there if you have the knowledge and understand Kubernetes and need that level of visibility and portability.”
But in Jeff’s view, use cases for moving your clusters off of AWS are rare. Whereas sticking with Amazon’s container flavor gives you easy access to a wide range of AWS services that you wouldn’t have using Kubernetes on AWS.
To enjoy this podcast episode with cloud app security expert Jeff Schlauder in its entirety, click here.
Looking for guidance on API security within your application security program? Check out this blog post: Application Security and API Security are Becoming Synonymous—Are You Ready?