Security within a software-defined infrastructure

What is claimed is: 1. A method comprising: establishing a security container in a software-defined environment, the security container describing a workload and a set of resources, the set of resources being required by the workload; determining a set of resource-divisible portions of the workload including a compute-resource portion, a storage resource portion, and a network resource portion; generating a plurality of sub-containers within the security container, a sub-container within the plurality of sub-containers representing only one resource-divisible portion of the workload; determining a set of security criteria for the security container; monitoring the workload and the set of resources for security events based, at least in part, upon the set of security criteria; and responsive to identifying a security event, adjusting one or more security mechanisms; wherein: the plurality of sub-containers represent an end-to-end run time environment for processing the workload; the end-to-end run time environment includes bare metal sub-containers and hypervisor-specific sub-containers; the set of resources are software abstractions; and at least the steps of monitoring and adjusting are operated within the software-defined environment. 2. The method of claim 1 , wherein the set of security criteria includes a container-specific policy specification that is portable throughout the software defined environment. 3. The method of claim 1 , wherein the step of monitoring includes one of deep introspection, condition-based monitoring, and applying a behavior model to a resource within the set of resources. 4. The method of claim 3 wherein the step of monitoring includes applying a behavior model to workload behavior, the workload behavior captured by one of a set of spatio-temporal footprints of an infrastructure element in the software-defined environment, a temporal progression of usage of the set of resources, activating a set of components within the workload, and invoking a service performed by the workload. 5. The method of claim 1 , wherein the step of adjusting one or more security mechanisms includes one of inserting a security mechanism, and removing a security mechanism. 6. The method of claim 1 , wherein the one or more security mechanisms includes isolation mechanisms provided by the plurality of sub-containers at various layers of a stack. 7. A computer program product comprising a computer readable storage medium having stored thereon program instructions programmed to: establish a security container in a software-defined environment, the security container describing a workload and a set of resources, the set of resources being required by the workload; determine a set of resource-divisible portions of the workload including a compute-resource portion, a storage resource portion, and a network resource portion; generate a plurality of sub-containers within the security container, a sub-container within the plurality of sub-containers representing only one resource-divisible portion of the workload; determine a set of security criteria for the security container; monitor the workload and the set of resources for security events based, at least in part, upon the set of security criteria; and responsive to identifying a security event, adjust one or more security mechanisms; wherein: the plurality of sub-containers represent an end-to-end run time environment for processing the workload; the end-to-end run time environment includes bare metal sub-containers and hypervisor-specific sub-containers; and the set of resources are software abstractions. 8. The computer program product of claim 7 , wherein the set of security criteria includes a container-specific policy specification that is portable throughout the software defined environment. 9. The computer program product of claim 7 , wherein the program instructions programmed to monitor are further programmed to perform one of deep introspection, condition-based monitoring, and applying a behavior model to a resource within the set of resources. 10. The computer program product of claim 7 , wherein adjusting one or more security mechanisms includes one of inserting a security mechanism, and removing a security mechanism. 11. The computer program product of claim 7 , wherein the one or more security mechanisms includes isolation mechanisms provided by the plurality of sub-containers at various layers of a stack. 12. A computer system comprising: a processor(s) set; and a computer readable storage medium; wherein: the processor set is structured, located, connected, and/or programmed to run program instructions stored on the computer readable storage medium; and the program instructions include program instructions programmed to: establish a security container in a software-defined environment, the security container describing a workload and a set of resources, the set of resources being required by the workload; determine a set of resource-divisible portions of the workload including a compute-resource portion, a storage resource portion, and a network resource portion; generate a plurality of sub-containers within the security container, a sub-container within the plurality of sub-containers representing only one resource-divisible portion of the workload; determine a set of security criteria for the security container; monitor the workload and the set of resources for security events based, at least in part, upon the set of security criteria; and responsive to identifying a security event, adjust one or more security mechanisms; wherein: the plurality of sub-containers represent an end-to-end run time environment for processing the workload; the end-to-end run time environment includes bare metal sub-containers and hypervisor-specific sub-containers; and the set of resources are software abstractions. 13. The computer system of claim 12 , wherein the set of security criteria includes a container-specific policy specification that is portable throughout the software defined environment. 14. The computer system of claim 12 , wherein the program instructions programmed to monitor are further programmed to perform one of deep introspection, condition-based monitoring, and applying a behavior model to a resource within the set of resources. 15. The computer system of claim 12 , wherein adjusting one or more security mechanisms includes one of inserting a security mechanism, and removing a security mechanism. 16. The computer system of claim 12 , wherein the one or more security mechanisms includes isolation mechanisms provided by the plurality of sub-containers at various layers of a stack.