IBM Research works with industry to architect and prototype trusted container platforms
Tackling security and compliance needs in containerized environments
When it comes to highly regulated industries, it is critical to maintain high assurances and compliance around computation. Enterprises must ensure that there is governance of data and processes.
Virtualization and containerization has brought about many benefits to efficiency, adaptability, and scalability of workloads. However, it brings with it challenges in security and compliance.
For example, workloads might be hosted in an environment that shares a pool of physical platforms in a data center or in multi-tenant cloud. Enterprises have security concerns on whether workloads are being run on platforms that are trustworthy, in terms of the integrity of the platform, its locality and metadata, and its ability to establish itself in a root of trust.
Another security concern is the confidentiality of the workload image and its key protection, which is especially important when dealing with regulated or sensitive workloads and data.
Today, there is a gap in fulfilling these security requirements in container platforms. IBM Research has partnered with RedHat, Intel, and NIST to tackle this problem, by working together to research and develop a Trusted Container Platform to meet these security and compliance needs. A Trusted Container Platform provides the ability to secure and govern the container workloads at a much finer granularity.
For example, through a Trusted Container Platform, administrators can create policies to enforce that all nodes in a cluster are trusted and attested, and developers can encrypt a container workload, one that is only decryptable on a trusted and attested node, with an asset tag (such as “region=eu”). All of these operations are rooted in a hardware root of trust such as a Trusted Platform Module (TPM).
The team demonstrated the platform using open-source software components and commercial of-the-shelf technology, including Intel® Security Libraries for Data Center (ISecL-DC), Red Hat OpenShift, IBM Cloud Pak for MultiCloud Management, and IBM Encrypted OCI Container Images.
The team has written an article that documents some early development and prototype work and demos the Trusted Container Platform. You can read our article, “Policy-based governance in a trusted container platform,” on IBM Developer.