Portworx adds security and DR options for container storage

New DR capabilities

The new PX-DR functionality enables users to synchronously replicate data across cloud sites within the same metropolitan area. For instance, a customer could fail over an application from AWS to Microsoft Azure, or vice versa, with no data loss if a data center in the stretch cluster went down.

Portworx Enterprise 2.1 also enables asynchronous replication of Kubernetes applications and data across geographies via a WAN. For instance, a customer could set a policy to back up a container-based application and its data from AWS' U.S. East availability zone to AWS U.S. West on a specific schedule. The user could fail over the application to the distant site if a data center goes down or the Kubernetes application needs an update.

Containers were generally stateless and used only ephemeral storage prior to the debut of Docker volume plugins in 2015. The next year, Kubernetes added similar functionality, with in-tree volume drivers for persistent storage of stateful application data.

"DR [disaster recovery] is probably the newest challenge for containers because of the increasing significance of the applications that are moving to containers," wrote Steven Hill, a senior analyst at 451 Research, in an email. "Providing persistent storage for containers is one thing, but protecting that storage is another. The storage industry as a whole is just starting to figure out how to provide data protection for business data that needs to be as mobile as their containers."

Security functionality

Portworx previously supported key management systems, such as AWS Key Management Service and HashiCorp Vault, which let customers control encryption keys for security. With PX-Security, the vendor adds support for role-based access controls at the container volume level. PX-Security integrates with authentication and authorization technologies, such as Active Directory and the Lightweight Directory Access Protocol.

Enrico Signoretti, a senior data storage analyst at GigaOm, based in Austin, Texas, said Portworx had to add DR and security features for enterprises to consider it for important application workloads. But he said most enterprises are just beginning to use or consider containers for persistent storage.

Signoretti said users could go with a startup, such as Datera, Portworx or StorageOS, that has designed storage specifically for containers. Or, they could opt for an established vendor, such as NetApp or Red Hat, that has added capabilities to make their storage products "container-friendly," he said.

Portworx has gained the attention of some of those established vendors. Cisco, Hewlett Packard Enterprise and NetApp all invested in Portworx's recently closed $27 million Series C funding round. Now, Portworx will try to make its software attractive to its new investors' customers as they increase their container adoption.

"It's easier probably for most enterprises to start with the storage system they already have in place that has an integration with containers," Signoretti said. "But in the medium or long term, if they are focusing on building a large container infrastructure, then thinking about something that is designed for this technology is better."

Kris Watson, CEO and co-founder of Portworx customer Compute Stacks, based in Portland, Ore., said he's looking forward to the new per-volume access control. Compute Stacks built a multi-tenant container platform for its service provider customers that sell cloud services, such as web hosting or email.

"With our integration with Portworx 2.1, we can enable service providers to sell container applications that are locked into a specific volume," Watson wrote in an email. "This would prevent an unauthorized user from manually mounting that volume to another container and accessing that user's data."

Watson said he's also eager to try the new PX-DR functionality to enable customers to keep a full, up-to-date standby cluster and potentially offer premium options with higher service-level agreements. Until now, he said, he has had to use snapshots to back up individual volumes to Amazon S3-compatible storage, and recovery time would be significant in the event of a cluster failure.