Security properties of containers are a largely unexplored field and there is a lot of controversial discussion about whether containers do contain or not. –At times it seems that the discussion is driven by (hidden) business agendas, partnerships and financial dependencies rather than by plain technology.– So, leaving all of this aside, can you make your containers contain or not?
On the one hand containers are not new and service providers have been using for example Virtuozzo or Parallels containers to offer Virtual Private Servers (VPS) in multi tenant environments long before computing clouds even came onto the radar. On the other hand, the packaging of software and the instantiation and management of containers with Docker is brand new.
For many clients the default-deployment will be on a guest system on top of a hypervisor because hypervisors are omnipresent. Others again dare to talk about the elephant in the room and ask whether the security properties of Docker containers deployed on a Linux OS on bare metal hardware is good enough for their use case or for multi-tenant environments even.
A while ago I set out to address these types of questions plus other questions that should be top of mind of every security professional who needs to get an opinion about a new technology. Thus, I am happy to announce that my research note “Security properties of Containers managed by Docker” has been published today! It is my hope that this paper will become a solid reference point for security professionals that need to have an informed conversation about container security.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.