A household services company built Linux container security into a recently improved app deployment process to...
keep its IT operations squeaky clean.
ServiceMaster Global Holdings Inc., which owns consumer brands such as Terminix, Merry Maids, Furniture Medic and ServiceMaster Clean and Restore, deploys 75,000 service trucks to residential driveways each day. Five years ago, the company was taken private by an equity firm, and new leadership, including a new CIO, was brought in to modernize its operations. When it returned to the public market in 2014, the company had completely overhauled its approach to IT.
The company is now "light-years ahead" of where it was five years ago, said Thomas Davis, director of security for ServiceMaster, based in Memphis, Tenn. A new Agile development process and set of DevOps practices has now produced mobile apps that customers can use to order services through tweets and text messages, as well as track technicians en route to their houses similarly to how Uber customers track drivers.
That's only the beginning, Davis said.
"We've become a tech company," Davis said. "We didn't want to end up being the next Blockbuster that just didn't see the train coming."
ServiceMaster's DevOps transformation began with a VM-based infrastructure and a Waterfall method of app delivery, and it has progressed to between 40 and 50 Scrum teams that push out up to 10 updates a day. The DevOps pipeline incorporates Jenkins for continuous integration and delivery, Puppet for app deployment, Ansible for infrastructure deployment, and some homegrown tools for dashboards, interfaces and APIs.
Since it handles consumer data, the company took a special interest in security as it built the DevOps pipeline. Now, a developer can write code on a laptop, push F5 to commit, and after automated security tests the code, it's pushed through to production.
"Security can't be at the end -- a gate before [an app] goes to production, where we give it a thumbs-up or thumbs-down," Davis said. "Our goal is to work directly with the developers."
A holistic approach to Linux container security
Thomas Davisdirector of security for ServiceMaster
A crop of Linux container security startups has turned heads over the last two years among some enterprises, but ServiceMaster chose products from Hewlett Packard Enterprise (HPE) and Tenable -- familiar vendors that could also secure the company's networks and VM-based workloads.
ServiceMaster previously built an API that connects its Cisco networking equipment to Tenable's software to detect system vulnerabilities, for example. It also deployed HPE's Fortify Application Defender for visibility into apps that run on any system in the network.
Tenable's container image scanning feature, based on the 2016 acquisition of FlawCheck, now helps ServiceMaster's DevOps team maintain an immutable infrastructure where containers are torn down and rebuilt, rather than patched.
"If someone logs into a container and starts changing stuff, we want to know," Davis said. "They should be fully automated and fully orchestrated; nobody should be logging in."
Tenable's container security handles image scanning whenever containers are deployed, but doesn't yet offer visibility into running containers, though container runtime security support is on the company's roadmap. Davis has also evaluated Aqua and NeuVector for this feature, but plans to look into Tenable's forthcoming product.
Static image scanning prior to app deployment into production was a higher priority for Linux container security at ServiceMaster than container runtime monitoring, Davis said.
"Tenable gave us the ability to build security into our technology stack, not just into our containers," Davis said. "Especially in world where a system might only live for days or even hours, it was important to build it right the first time."
ServiceMaster will keep its options open as Linux container security evolves, however. Davis said the company learned its lesson about being married to specific vendors when it ended an outsourcing contract with IBM five years ago.
"I do one-year contracts with my vendors," Davis said. "I like to move around very quickly and navigate the industry the way I feel we need to for our business."
DevOps automation is easiest with a cohesive toolchain
Converged infrastructure raises no vendor lock-in fears
Docker security updates assuage user concerns