Gartner Blog Network


Can you operationalize Docker containers?

by Joerg Fritsch  |  July 14, 2016  |  3 Comments

As DevOps matures enterprises have a need to put critical applications running on Docker Containers into production. Security folks currently have a hard time to decide if their Docker use case is ready to be operationalized. Is it a “go”, a “no go” or do they need to implement additional controls before putting it into operation?

The answer depends on how you define security. If security for you is a measure of segregation capabilities then containers are not quite there yet. If you take a step back and look at the bigger picture and consider the many pockets where security must usually go, then you come to interesting insights!

Applications deployed in containers are more secure than applications deployed on the bare OS

In short, despite the challenges, Gartner believes that one of the biggest benefits of containers is security. Gartner asserts that applications deployed in containers are more secure than applications deployed on the bare OS and, arguably, on a VM. Although containers will not prevent applications from being compromised, they greatly limit the damage of a successful compromise because applications and users are isolated on a per-container basis so that they cannot compromise other containers or the host OS — as long as a kernel privilege escalation vulnerability does not exist on the host OS.

But the rabbit hole is very deep

The notion of “an application” is also very much in flux from something monolothic that resides in a fixed spot to something distributed that is elastic and dynamic. Docker is a great basis for micro service based architectures where an application is distributed over several (many?) containers that need to communicate with each other.–But what does that mean in terms of security?

Furthermore it is not some magical secure cargo, but software that lives in containers and security gaps ultimately are caused by suboptimal software. Docker and the third party security vendors around it have recognized this and start to address security of applications deployed in Docker containers during the build phase and the run phase of the lifecycle.

But it goes even deeper . . . what is with traditional network security? Load Balancers? ADCs?

Many of this is covered by startups. Startups to watch when it comes to secure Docker are

Docker

Aqua Security

Twistlock

The Docker “native” SDNs, such as Weave and Calico

and micro service routing platforms, such as Vamp

I have investigated all this in my new research note titled “How to Secure Docker Containers in Operation” and want to encourage Gartner clients to read it and engage with me to discuss the results.

Category: devops  docker  

Tags: devops  docker  

Joerg Fritsch
Research Director
1 year at Gartner
15 years IT Industry

Joerg Fritsch is a Research Director in the Gartner for Technical Professionals Security and Risk Management Strategies team. His specialties include information security, data center and cloud security, big data (analytics), cloud computing, PaaS, distributed systems, messaging and event-driven systems, and very fast networks and servers. Read Full Bio


Thoughts on Can you operationalize Docker containers?


  1. maxp says:

    You assert containers increase security, but many have noted that containers do not effectively isolate applications from the host OS.[1][2][3] How do would you rebut or minimize the concerns yielded from the lack of incomplete namespacing and a lack of a guarantee of separation latent in Linux containers (LXC)?

    [1]: https://opensource.com/business/14/9/security-for-docker
    [2]: http://www.itworld.com/article/2920349/security/for-containers-security-is-problem-1.html
    [3]: http://www.projectatomic.io/blog/2014/09/yet-another-reason-containers-don-t-contain-kernel-keyrings/

    • Joerg Fritsch says:

      @maxp This is a situation that you often have in real-world security. Although a control can ultimately be broken or circumvented it is still considerably raising the bar for attackers. This creates the arms race between the security pros and the adversaries that we are all in. The sources you link to are partially two years old and have been addressed by the presets of newer versions of the Docker Platform.

      • Ben Griffin says:

        Joerg,

        You’re spot on. I run the Docker Melbourne Meetup and I recently spoke about hardening Docker containers and their respective hosts. Docker 1.12 addresses a lot of the security concerns around TLS and certificate management, but Docker have also introduce user namespacing, SECCOMP, MAP etc which all assist in addressing the concerned raised in those articles. Docker releases a new version every 2 months, so if you’re reading security reports on Docker older than 2 months, its more than likely been resolved.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.