alex_aldo - Fotolia

Can Contiv automate policies for container platforms?

Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of this open source tool.

Cisco recently introduced a new open source project called Contiv that's designed to automate operational policies for containerized applications in the cloud. How does Contiv accomplish this, and is this something that security managers should look at to help with deploying security policies for a container platform?

Containers are lightweight virtual machines that use operating system-level controls to isolate processes and allocate subsets of available resources, such as CPUs and RAM. Containers run natively on an operating system; for now, Linux is the most frequently used container host OS.

Docker is the most popular container platform, combining tools for building container images and for running them. The Docker build command, for example, uses scripts known as Dockerfiles to build images with specified components. This is a powerfully flexible way to deploy consistent images and share them within and across organizations. This, in turn, enables well-established DevOps practices, such as continuous integration and testing.

Docker also enables the use of scalable microservices. As demand for a service increases or decreases, additional Docker images can be deployed or shutdown, to add or remove servers running the microservice.

This kind of flexibility can lead to management chaos if not properly coordinated. Contiv is an open source tool designed to help DevOps professionals manage a large number of containers in a dynamic environment. Contiv lets administrators define network, compute and storage policies related to containers. This streamlines the process of keeping deployed containers compliant with infrastructure policies.

Some of the most important policies relate to security controls, network services such as firewalls and load balancers, resource allocation such as bandwidth utilization and latencies, storage policies and of course, access to compute resources.

Two specialized projects are currently underway: Contiv Network, which addresses network services, and Contiv Volume, for storage services. Contiv could be used to implement a declarative infrastructure, sometimes called infrastructure as software. This is especially important from a security perspective because it is a well-defined and configured policy that, if executed, can reduce the chances of misconfiguration.

Want to ask Dan Sullivan a question about cloud security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Find the right container platform for your organization

Read more about the leaders in cloud container services

Learn about the Open Container Project and what it means for container security

Dig Deeper on Cloud Computing Software as a Service (SaaS) Security