{"id":325,"date":"2016-12-01T16:00:40","date_gmt":"2016-12-01T16:00:40","guid":{"rendered":"http:\/\/redmonk.com\/fryan\/?p=325"},"modified":"2016-12-01T16:18:09","modified_gmt":"2016-12-01T16:18:09","slug":"containers-in-production-is-security-a-barrier-a-dataset-from-anchore","status":"publish","type":"post","link":"https:\/\/redmonk.com\/fryan\/2016\/12\/01\/containers-in-production-is-security-a-barrier-a-dataset-from-anchore\/","title":{"rendered":"Containers in Production \u2013 Is Security a Barrier? A Dataset from Anchore"},"content":{"rendered":"

Over the last week we have had the opportunity to work with an interesting set of data collected by\u00a0Anchore<\/a> (full disclosure: Anchore\u00a0is a\u00a0RedMonk<\/span><\/a>\u00a0client). Anchore collected this data by means of a user survey ran in conjunction with DevOps.com<\/a>. While the number of respondents is relatively small, at 338, there are some interesting questions asked, and a number of data points which support wider trends we are seeing around container usage. With any data set of this nature, it is important to state that survey results strictly reflect the members of the DevOps.com community.<\/span><\/p>\n

The data set covered a number areas including container usage and plans, orchestration tools, operating system choices, CI tools and security. For this post we will be focusing on the data around containers and CI.<\/span><\/p>\n

The Population<\/span><\/h2>\n

Our population breaks out with over 60% working in companies of greater than 100 people, and with an interesting distributio<\/span>n across a variety of roles.
\n<\/p>\n

\"anchore-company-size-waffle-clean\"<\/a><\/div>\n

<\/span><\/p>\n

\"anchore-roletypes-waffle-clean\"<\/a><\/div>\n

Container Usage Breakdown<\/span><\/h2>\n

Matching other trends that we are tracking approximately one third of the participants are running containers in production, with development coming in slightly higher.<\/span><\/p>\n

\"anchore-cu\"<\/a><\/div>\n

Security as a Question<\/span><\/h2>\n

One of the most interesting aspects of this survey data was the focus on security. In particular we found it interesting to see what type of security policies that enterprises running in production had versus those that did not. <\/span><\/p>\n

\"anchore-sec-breakout\"<\/a><\/div>\n

It is particularly interesting to see that companies were far more likely to be running in production where they had a defined policy in place. There a lot of underlying aspects to drill into here, but at its highest level developer enthusiasm for a technology rarely runs as far as security, and almost never considers some of the more detailed compliance nuances that an enterprise must consider. <\/span><\/p>\n

Bluntly put this presents a barrier to adoption, and an opportunity for conservative organisations to hold off on adopting new technologies. <\/span><\/p>\n

CI\/CD and The Enterprise On Ramp<\/span><\/h2>\n

Here at RedMonk we have been talking about the importance of CI\/CD as the on-ramp for all things cloud native,<\/a> and have seen Jenkins taking a strong lead over other tools. This trend is once again repeated in the Anchore data, with the combination of Jenkins and CloudBees<\/a> (commercial Jenkins) approaching 50%.<\/span><\/p>\n

\"anchore-cicd-overview\"<\/a><\/div>\n

As we would expect with the audience for this survey, the level of usage of CI\/CD is a good deal higher than we have seen in other areas. <\/span><\/p>\n

\"anchore-cicd-user-breakout\"<\/a><\/div>\n

Orchestration Tools<\/span><\/h2>\n

To say that the orchestration tools space is hot would be somewhat of an understatement. For the purposes of this analysis we have combined Red Hat\u2019s OpenShift and CoreOS Tectonic under the Kubernetes banner, and Apache Mesos and Mesosphere under the Mesos banner. <\/span><\/p>\n

\"anchore-orch-tools-overall\"<\/a><\/div>\n

We can see that Kubernetes and Docker Swarm have by far the most take up, with Kubernetes in a slight lead across all user types<\/span><\/p>\n

\"anchore-orch-tools-breakdown\"<\/a><\/div>\n

Interestingly Mesos still features strongly with architects. Among developer communities we very rarely hear Mesos mentioned anymore. On the other hand we frequently encounter architects have invested in Mesos from the perspective of their big data environments and are looking at a common approach for their container strategy. That said, this entire market is extremely fluid at the moment. <\/span><\/p>\n

A Look at the Operating Systems of Containers<\/span><\/h2>\n

Host Operating Systems<\/span><\/h3>\n

Rather unsurprisingly Ubuntu takes the lead in container host operating systems, but two other aspects of this data are also worthy of further comment. Firstly, the high usage of Amazon Linux is a reflection on the growth in usage of ECS, while the use of Alpine Linux<\/a> being used as a host operating system reflects usage of Docker for Mac.<\/span><\/p>\n

\"anchore-chos-overview\"<\/a><\/div>\n

Looking at the top five host operating systems across user roles we see Ubuntu having a particular strong lead among developers and architects.<\/span><\/p>\n

\"anchore-chos-breakout\"<\/a><\/div>\n

The usage of specialist operating systems is something that we see growing, but currently hitting a chasm point, something which Garret Rushgrove noted in a recent post<\/a>. \u00a0Among specialist operating systems CoreOS<\/a> has a lead, and Alpine<\/a> continues to grow, although as noted above part of this growth reflects the usage of Docker on Mac.<\/span><\/p>\n

\"anchore-chose-specalist-overview\"<\/a><\/div>\n

Container Image Operating Systems<\/span><\/h3>\n

Part of the promise of containers is simplified application stacks, with the ability to bundle everything required for an application, or components of application in a single package. Too often, however, people confuse this with an easy alternative to VMs. This is evident in this data as well, as we can see by the number of respondents who base their container images on full OS images.<\/span><\/p>\n

\"anchore-contimage-approach\"<\/a><\/div>\n

Looking at the choice of images, Ubuntu once again leads, with CentOS and RHEL as the next most popular. \u00a0<\/span><\/p>\n

\"anchore-cios-overview\"<\/a>
\n\"anchore-cios-breakout\"<\/a><\/div>\n

All of this raises some wider questions in terms of education. For most applications you do not need a full OS image. However, the reality is such that, in at least the medium term, many applications will be built on top of such images for a variety of reasons \u2013 be they simplicity and developer choice, or for operational reasons such as existing compliance procedures, security policies and so forth. <\/span><\/p>\n

That said, the idea of building containers from full OS images raises multiple questions from maintenance, security and deployment perspectives. The velocity of change for microservice based applications in containers raise a number of interesting challenges \u2013 from a developer perspective it is very easy to spin up and release a new version of a service. Indeed, slowing this process down in anyway is the very antithesis of everything a cloud native approach promises. <\/span><\/p>\n

This leads us to a very difficult operational problem \u2013 how do we ensure security, and understand the makeup of an application while still allowing developer velocity to increase. On the security front in particular we see developers reassuring themselves that being aware of CVE scores is more than enough security \u2013 this is no doubt a useful baseline, but it is far from enough.<\/span><\/p>\n

Disclaimers<\/b>: Anchore, Atlassian, IBM, Docker, RedHat, Amazon and CoreOS are current RedMonk clients. \u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Over the last week we have had the opportunity to work with an interesting set of data collected by\u00a0Anchore (full disclosure: Anchore\u00a0is a\u00a0RedMonk\u00a0client). Anchore collected this data by means of a user survey ran in conjunction with DevOps.com. While the number of respondents is relatively small, at 338, there are some interesting questions asked, and<\/p>\n","protected":false},"author":40,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,15,9,32,17],"tags":[],"class_list":["post-325","post","type-post","status-publish","format-standard","hentry","category-containers","category-developers","category-devops","category-frameworks","category-infrastructure"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/redmonk.com\/fryan\/wp-json\/wp\/v2\/posts\/325","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/redmonk.com\/fryan\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/redmonk.com\/fryan\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/redmonk.com\/fryan\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/redmonk.com\/fryan\/wp-json\/wp\/v2\/comments?post=325"}],"version-history":[{"count":0,"href":"https:\/\/redmonk.com\/fryan\/wp-json\/wp\/v2\/posts\/325\/revisions"}],"wp:attachment":[{"href":"https:\/\/redmonk.com\/fryan\/wp-json\/wp\/v2\/media?parent=325"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/redmonk.com\/fryan\/wp-json\/wp\/v2\/categories?post=325"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/redmonk.com\/fryan\/wp-json\/wp\/v2\/tags?post=325"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}