It has been interesting watching the conversation around the rise of Docker and the general attention that containers have received in the past few years. Most fascinating has been the reaction of vendors who make their revenue primarily through virtualization technologies. These vendors have been quick to assert that containers are not secure and that in order to assure certainty for an organization, either containers shouldn't be used at all (their preference, obviously) or they should be used within the ongoing context of virtualized servers.
Against this narrative runs two forces. First, the container companies (notably, Docker), while being careful to not alienate their virtualization vendor partners, try to assure customers that containers are actually inherently safe. The second narrative comes from third-party vendors that offer security solutions for containers. These players agree that containers have some fundamental flaws, but their solution resolves these issues.
+ Also on Network World: Containers: Most developers still don’t understand how to use them +
A good example is Twistlock, a company that today announced a $10 million Series A funding round that follows on from the $3.1 million in seed funding the company raised last year. More than $13 million in funding only a year after founding is an impressive statistic. So, what does Twistlock do that has funders so excited?
Twistlock's solution is pitched as an enterprise suite for container security. Twistlock’s technologies address risks on the host and within the containerized application, promising enterprises the ability to enforce consistent security policies from development to production.
Twistlock's platform covers the security lifecycle—monitoring container activities, managing vulnerabilities, and detecting and isolating threats targeting production environments. Twistlock’s technology platform includes Twistlock Trust, a set of capabilities that manages container vulnerabilities and enforces compliance practices, and Twistlock Runtime, a collection of runtime functions that delivers powerful behavior analytics of containerized applications and defends against zero-day threats in the production environment.
Twistlock attributes its growth in part to its approach to embedding security in from the early stages of the container lifecycle. This approach enables declarative ways to implementing runtime security. And actual practitioners of applying containerization with existing enterprises would seem to agree.
Jim Routh, CIO officer of Aetna, said, "Adding security to a container-based implementation of DevOps is essential for vulnerability management, audit logging and permission management to realize economic benefit in software security."
Twistlock claims a number of production customers, including Fortune 50 firms and other large enterprises, as well as the requisite startup early adopters. As expected, Twistlock is emphatic about the size of its opportunity:
"A good security protection is one that you never hear from. We aim to deliver completely automated security for the entire container stack without manual intervention or disruptive false alarms," said Dima Stopel, head of R&D and co-founder of Twistlock. "That is where Twistlock is headed."
My POV
Security is absolutely a core component of an enterprise technology product. As such, it is almost incomprehensible that base security functionality would be farmed out to third-party vendors and not delivered as a native part of the container platform.
That leads us to two questions:
First, does Twistlock's functionality go beyond "base-level security" and include higher-level functions that one would expect to be provided by a third party? If so, then there is validity to Twistlock's existence.
The other question, and one that I suspect is even more relevant, is at what level is Docker in regards to building out the core security for the platform? If it is still at the early stages, it is eminently possible that Twistlock will present a very real short-term acquisition opportunity as a product that quickly and easily backfills security into the container platform.
Venture capitalists follow the money and look for potential exits. Twistlock certainly has something. The question remains whether that is a short-term or a long-term opportunity.