Safety and security are one of the biggest areas of concern with any container-managed research application and, according to industry reports [1] is slowing adoption of this technology that otherwise has many benefits such as improved shareability, traceability, and reproducibility and facilitates collaboration.
At Code Ocean keeping our Compute Capsules™ both safe and secure has been a top priority from day one.
The main difference between safe and secure is that safe refers to protection from accidents and mishaps while secure refers to the protection from deliberate dangers or threats. Source: https://pediaa.com/difference-between-safe-and-secure/
Compute Capsules – a safe environment for researchers …
The Code Ocean platform, specifically the Compute Capsules, are purpose-built to provide a standard and safe execution environment for users while giving them a high degree of freedom to do their work, e.g. writing code, using different computing languages and/or adding tools, such as open-source software packages.
One of the key characteristics of Compute Capsules is their shareability. It allows experienced computational users to set up Compute Capsules on an execution platform optimized for safety and security with appropriate guardrails, e.g. access privileges, in place and then easily share those Capsules with their computational biologists, bioinformaticians and bench scientists colleagues who can now work with standardized Capsules without having to worry about safety, making the occasional error, or adding a package that might create a data breach. Although the Capsule does not guarantee protection from malicious code, the computational and IT users can reduce risk by standardizing and governing the Capsule environment and tools.
Working in Compute Capsules, users enjoy the freedom of working with the best tools for their daily analysis work within an environment that provides safety and security in the background. The IT team can set up a safe and secure system from the get-go that requires limited maintenance and trouble-shooting even if used by many users with different coding needs and experience.
… and secure from malicious hackers
The basic security threat every open public SaaS platform faces is that users can not only add any number of open-source tools that can lead to data breaches or leaks but can also write code and execute it in the core of the system. That code could be malicious.
To secure the Compute Capsules the team at Code Ocean has implemented several layers of security in the platform that protect the system from hackers:
- Disabling inter-Capsule communication prevents malicious users from affecting other Compute Capsules.
- Applying user namespace remapping, which gives a user broad root user privileges within their Capsule but limits their privileges on the host. Should a malicious user manage to escape their computation container, they are unable to run operations that affect and potentially damage the host.
- Implementing security groups that act as virtual firewalls and control traffic in and out of the Compute Capsule via inbound and outbound rules.
- Several additional security measures are part of the Capsule execution mechanism that keeps Compute Capsules secure, esp. IP tables and a firewall utility that defines and manages chains of rules to allow or block traffic.
The software development team at Code Ocean designed and implemented these systems based on best practices and the recommendation of security audits that are performed routinely.
“Security is a delicate balancing act, on the one hand we don’t want to limit the users’ ability to do what they need to do within the Compute Capsule, on the other hand we need to make sure their code, data and results are secure.”
Ram Dayan, Code Ocean co-founder and CTO
Compute Capsules contain code, results, data and computing environment in self-sufficient, reproducible software packages that can be shared and immediately executed. This key characteristic of Compute Capsules make this balancing act possible: experienced professionals can set up guardrails to create a safe but flexible environment for users to work in, thereby minimizing the risk associated with data leaks, breaches, and the occasional user error.
In addition, the isolation inherent in containerized applications in combination with customized security measures that limit inter-Capsule exchanges and restrict privileges in the unlikely event of a breach by a user with malicious intent further secures Capsules.
Closing the security gap for researchers and IT
Working with Code Ocean’s Compute Capsules, security is an integral component or mechanism within the platform and provides users the freedom to work in a safe and secure environment. Users have a high degree of freedom to select the best tools for their analyses and focus on their work without having to worry about setting up security protocols by themselves.
The Code Ocean platform closes the security gap between IT teams and computational research users and extends the usability of Compute Capsules to users of all coding abilities.
If you are interested in learning more about Compute Capsules and how they can keep your computational work safe and secure, please contact us here.
References
[1] State of Kubernetes Security Report, 2021, downloadable here: https://security.stackrox.com/state-of-kubernetes-security-2021.html
