Security within a software-defined infrastructure

What is claimed is: 1. A method comprising: identifying, in a software-defined environment, a security container describing a workload and a set of resources required by the workload, the security container including self-describing sub-containers having associated metadata describing content of a respectively corresponding sub-container; determining, for the workload, a set of resource-divisible portions of the workload including a compute-resource portion; generating a plurality of sub-containers within the security container, a sub-container within the plurality of sub-containers being a self-describing sub-container having associated metadata describing the content of the sub-container representing only one resource-divisible portion, the sub-container being an operating system sub-container; and responsive to identifying a security event while processing the workload, adjusting a security mechanism associated with the security container; wherein: the plurality of sub-containers represents an end-to-end run time environment for processing the workload. 2. The method of claim 1 , wherein the end-to-end run time environment includes bare metal sub-containers and hypervisor-specific sub-containers. 3. The method of claim 1 , wherein the set of resources are software abstractions. 4. The method of claim 1 , wherein the set of resource-divisible portions includes a storage resource portion and a network resource portion. 5. The method of claim 1 , further comprising: determining a set of security criteria for the security container. 6. The method of claim 5 , further comprising: monitoring the workload and the set of resources for security events that occur while processing the workload; and wherein the security events are based on the set of security criteria. 7. The method of claim 6 , wherein monitoring the workload includes applying a behavior model to a resource within the set of resources. 8. The method of claim 1 , wherein the security mechanism is an isolation mechanism provided by the plurality of sub-containers at various layers of a stack. 9. The method of claim 1 , wherein adjusting the security mechanism includes inserting an additional security mechanism. 10. The method of claim 1 , wherein the set of resources includes: a compute resource, a storage resource, a network resource, and a user resource. 11. The method of claim 1 , wherein the set of resource-divisible portions of the workload further includes a storage-resource portion of the workload. 12. A method comprising: establishing a security container describing a workload and a set of resources in a software-defined environment, the security container including a set of sub-containers that are self-describing sub-containers having associated metadata describing content of a respectively corresponding sub-container, each sub-container of the set of sub-containers respectively corresponds to a resource-divisible portion of the workload, the set of resources being required by the workload, wherein a sub-container of the set of sub-containers is an operating system sub-container; monitoring the workload and the set of resources for security events; and responsive to identifying a security event, adjusting isolation mechanisms provided by the plurality of sub-containers at various layers of a stack; wherein: the set of sub-containers represents an end-to-end run time environment for processing the workload using the set of resources. 13. The method of claim 12 , further comprising: determining a set of security criteria for the security container; and wherein: the monitoring for security events is based on the set of security criteria. 14. The method of claim 12 , wherein adjusting isolation mechanisms includes at least one of: inserting an isolation mechanism; and removing an isolation mechanism. 15. The method of claim 12 , further comprising: determining a set of resource-divisible portions of the workload including a compute-resource portion, a storage resource portion, and a network resource portion. 16. The method of claim 15 , further comprising: generating the set of sub-containers, each sub-container representing a unique resource-divisible portion of the workload. 17. The method of claim 12 , wherein the end-to-end run time environment includes bare metal sub-containers and hypervisor-specific sub-containers. 18. The method of claim 12 , wherein monitoring the workload and the set of resources for security events includes deep introspection, condition-based monitoring, and/or applying a behavior model to a resource within the set of resources.