Open in app

Sign in

Write

Sign in

Why Indian Systems should Containerize?

Providing better software security efficiently is the need of the hour

Pavan B Govindaraju
5 min readMay 5, 2024

Introduction

India boasts one of the largest user bases for the Internet and is slated to reach over 900 million by 2025. This provides an extremely large surface area for other countries to carry out elaborate cyberattacks. Data breaches have been common in recent times in India and the information of millions of users has already been compromised. This is a problem that is plaguing both civilians (Unique Identification — Aadhaar, Domino’s) and even the military-defense complex (Kudankulam). Security is a moving target in software systems and new updates must be rapidly deployable along with their safety ensured.

Case Study — US Department of Defense (DoD)

A few years ago, the US Department of Defense was able to overhaul the software stack on a 50-year-old U-2 Bomber to use the latest developments in software security and do a Tesla-like OTA software update.

The paradigm that was utilized, commonly known as DevSecOps, introduces security even before the software is deployed and ideally as part of the deployment process itself as the name suggests. A summary of the initiative and its outcomes is provided in this interesting talk.

The fundamental motivation for this was to upgrade the security levels of various defence assets, which is a need for every sovereign nation. Doing it via the DevSecOps paradigm allows developers to focus only on the development of services. By using a standard set of hardened blocks that can be deployed irrespective of the operating system, an ecosystem of hardened software is created. This can be updated, even over the air, with utmost efficiency and with minimal human intervention for all related assets.

Key Steps Involved

The overhaul process involved several key stages and can be summarized as follows:

  • Containerization — This is essential towards providing platform-independent security standards for all kinds of customers

and the other steps that would be good to have include:

  • Orchestration — This ensures that systems are scalable and resilient while using these standardized blocks
  • Service Mesh Usage — This provides additional features such as encryption and monitoring, that usually require additional development effort

Containers

First, the advent of tools like Docker has made software installation a simple process and independent of the underlying operating system. This is possible through the abstraction of a software container.

Containers and their relation to the operating system and infrastructure (Source: Docker)

Docker containers are standalone executable packages that contain everything to run the code independent of the underlying environment. This has several benefits including:

  • Standard — Containers are immutable and would be taken from a verified repository that would form the pieces for eventual applications.
  • Lightweight — Containers leverage the system’s kernel and would be resource and cost-efficient.
  • Secure — Typical security measures such as static application security testing and container scanning can be established at the repository level itself to ensure a hardened source of software blocks
  • Isolation — Running multiple applications is required in most devices and using containers isolates the dependencies of one from the other

The last point on isolation is of particular importance to AI/ML applications and even other advanced software systems such as simulation software, where there are sometimes hundreds of dependencies. Providing isolation and simultaneously allowing its installation with a single click in a platform-independent manner is one of the key advantages of containerization. Developers used to spend several hours installing these precursors as they involved multiple languages with their respective build systems, and that is now entirely avoidable via containers.

Orchestration and Service Mesh Usage

In addition to this, many applications are a combination of Docker containers that need to talk to each other. Some of them would require multiple instances to scale with the load and given the mission-critical nature of these applications, resilience and security are of utmost importance. For this purpose, the combination of Kubernetes+Istio is commonly used to simplify several offerings that would usually require additional development.

Logos of Kubernetes and Istio, two common applications that are utilized together in DevSecOps (Source: CNCF)

Kubernetes provides the orchestration layer for containers. This includes several important features and that includes:

  • Self-Healing — Restart and reschedule of containers if they fail
  • Scaling — Containers can be defined for each service to scale based on various metrics

In addition to this, deployment of Kubernetes clusters can be done independent of the cloud provider and does not have vendor lock-in.

There are additional requirements that are usually handled in the application layer. To save an immense amount of development time, it would be suitable to deploy Istio as well along with Kubernetes for the following advantages:

  • Encryption — Mechanisms such as mutual TLS (mTLS) provide secure service-to-service communication within the Kubernetes cluster
  • Telemetry — Istio uses proxies that are injected alongside each container that help gather logs and provide request flow information across various services
  • Advanced Communication — Features such as circuit breaking, retries and timeouts are available out-of-the-box and ensure robust communication between services without backlogs even when certain services are unresponsive
  • Deployments — Applications are very rarely deployed at once to full traffic and several deployment patterns would be difficult to implement. Istio provides traffic control strategies such as load balancing and canary deployment to ensure any production-related issues can be addressed with minimal downtime

Recommendations

To have robust security features across the board, it requires a bottom-to-top effort and that can be standardized through containers. High-security environments such as defence, same as in the DoD case study, should ideally have centralized repositories for containers that are validated after thorough scans and hosted in a shared domain across departments.

Mission-critical systems such as fighter planes or even key governmental portals should also utilize Kubernetes and Istio to ensure resilience and monitoring are available right off the bat. Using custom distributions of these tools to run on specific operating systems would be the key challenge, but that has been addressed in a reasonable time frame before. More importantly, these offerings are from CNCF, which is a vendor-neutral hub for cloud computing and would thus not create any dependency on another nation.

Summary

In conclusion, given India’s vast internet user base and the increasing cyber threats, adopting modern software security practices like DevSecOps becomes imperative. The case study of the US Department of Defense showcases the successful adoption of DevSecOps principles to enhance security in a complex and critical environment. The challenge of getting relatively immobile organizations to adopt new technologies is a more abstract problem, but replicating such initiatives in India should not be difficult as the need here is larger. By leveraging containerization, orchestration tools like Kubernetes, and service mesh solutions such as Istio, India can bolster its cybersecurity posture across various sectors, from civilian services to defence assets.

Distributed Systems
Docker
Security
India
Defence

--

--

Pavan B Govindaraju

Written by Pavan B Govindaraju

78 Followers

Specializes in not specializing || Blogging about data, systems and tech in general

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams