Security properties of containers are a largely unexplored field and there is a lot of controversial discussion about whether containers do contain or not. –At times it seems that the discussion is driven by (hidden) business agendas, partnerships and financial dependencies rather than by plain technology.– So, leaving all of this aside, can you make your containers contain or not?
On the one hand containers are not new and service providers have been using for example Virtuozzo or Parallels containers to offer Virtual Private Servers (VPS) in multi tenant environments long before computing clouds even came onto the radar. On the other hand, the packaging of software and the instantiation and management of containers with Docker is brand new.
For many clients the default-deployment will be on a guest system on top of a hypervisor because hypervisors are omnipresent. Others again dare to talk about the elephant in the room and ask whether the security properties of Docker containers deployed on a Linux OS on bare metal hardware is good enough for their use case or for multi-tenant environments even.
A while ago I set out to address these types of questions plus other questions that should be top of mind of every security professional who needs to get an opinion about a new technology. Thus, I am happy to announce that my research note “Security properties of Containers managed by Docker” has been published today! It is my hope that this paper will become a solid reference point for security professionals that need to have an informed conversation about container security.