Sonatype Takes on Container Governance
As usage of containers continues to proliferate across the enterprise there will be some natural shifting of management responsibility between developers and IT operations teams in many organizations. In fact, most developers will have a bare-minimum involvement in anything to do with IT governance.
With that assumption in mind, Sonatype has added a Lifecyle Container Analysis (LCA) offering to its portfolio that enables IT organizations to scan the contents of a container at the application level. Matt Howard, executive vice president of Market Development for Sonatype, says containers represent a more granular form of reusable software module. The company has been providing governance tools to track usage of open-source components for years, so LCA is a natural extension of those efforts, he says.
The challenge IT organizations now face is a lack of visibility into a container to see what’s inside. That container could, for example, be propagating malware across the enterprise in a way that is invisible to IT security tools. Sonatype provides a mechanism for scanning the software packaged in a container to enable IT organizations to analyze that code and identify known vulnerabilities.
Of course, reuse in the context of containers quickly gets complicated. Most existing open-source modules are upgraded using patches in much the same method as a traditional application. Applications developed using containers are upgraded by replacing or adding entire sets of containers to add new functionality. There no doubt will be significant reuse of some containers. But overall, the life cycle of container typically is much shorter than a traditional application module.
Regardless of how long a container exists, governance of applications based on containers represents a major challenge for IT organizations. Most IT organizations don’t have the scanning tools needed to provide visibility into a container, much less a formal governance process surrounding how containers come and go in a production environment. In heavily regulated industries that’s a major concern, because most organizations operating in those environments are required to document changes to their IT environments.
Longer term, Howard says, it’s only a matter of time before IT organizations look to automate as much of the governance process as possible. As more containers start to enter production environments, tracking the provenance of each container will be nearly impossible without relying on more automation. In fact, Howard notes that adoption of containers will probably require most organizations to entirely rethink the governance process surrounding their applications.
Containers represent a better way to build software. But making the shift to containers requires a major shift in philosophy when it comes to managing the IT environment. Of course, legacy applications are not going to disappear overnight. But over time many of these legacy applications will be decomposed into a set of more granular functions residing in containers. That means before too long most of the IT environment will be made up of containers. Keeping track of the relationship between all those containers very well may prove to be the biggest challenge IT organizations will face in the months and years ahead.