As DevOps matures enterprises have a need to put critical applications running on Docker Containers into production. Security folks currently have a hard time to decide if their Docker use case is ready to be operationalized. Is it a “go”, a “no go” or do they need to implement additional controls before putting it into operation?
The answer depends on how you define security. If security for you is a measure of segregation capabilities then containers are not quite there yet. If you take a step back and look at the bigger picture and consider the many pockets where security must usually go, then you come to interesting insights!
Applications deployed in containers are more secure than applications deployed on the bare OS
In short, despite the challenges, Gartner believes that one of the biggest benefits of containers is security. Gartner asserts that applications deployed in containers are more secure than applications deployed on the bare OS and, arguably, on a VM. Although containers will not prevent applications from being compromised, they greatly limit the damage of a successful compromise because applications and users are isolated on a per-container basis so that they cannot compromise other containers or the host OS — as long as a kernel privilege escalation vulnerability does not exist on the host OS.
But the rabbit hole is very deep
The notion of “an application” is also very much in flux from something monolothic that resides in a fixed spot to something distributed that is elastic and dynamic. Docker is a great basis for micro service based architectures where an application is distributed over several (many?) containers that need to communicate with each other.–But what does that mean in terms of security?
Furthermore it is not some magical secure cargo, but software that lives in containers and security gaps ultimately are caused by suboptimal software. Docker and the third party security vendors around it have recognized this and start to address security of applications deployed in Docker containers during the build phase and the run phase of the lifecycle.
But it goes even deeper . . . what is with traditional network security? Load Balancers? ADCs?
Many of this is covered by startups. Startups to watch when it comes to secure Docker are
The Docker “native” SDNs, such as Weave and Calico
and micro service routing platforms, such as Vamp
I have investigated all this in my new research note titled “How to Secure Docker Containers in Operation” and want to encourage Gartner clients to read it and engage with me to discuss the results.
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
You assert containers increase security, but many have noted that containers do not effectively isolate applications from the host OS. How do would you rebut or minimize the concerns yielded from the lack of incomplete namespacing and a lack of a guarantee of separation latent in Linux containers (LXC)?
@maxp This is a situation that you often have in real-world security. Although a control can ultimately be broken or circumvented it is still considerably raising the bar for attackers. This creates the arms race between the security pros and the adversaries that we are all in. The sources you link to are partially two years old and have been addressed by the presets of newer versions of the Docker Platform.
You’re spot on. I run the Docker Melbourne Meetup and I recently spoke about hardening Docker containers and their respective hosts. Docker 1.12 addresses a lot of the security concerns around TLS and certificate management, but Docker have also introduce user namespacing, SECCOMP, MAP etc which all assist in addressing the concerned raised in those articles. Docker releases a new version every 2 months, so if you’re reading security reports on Docker older than 2 months, its more than likely been resolved.