As DevOps matures enterprises have a need to put critical applications running on Docker Containers into production. Security folks currently have a hard time to decide if their Docker use case is ready to be operationalized. Is it a “go”, a “no go” or do they need to implement additional controls before putting it into operation?
The answer depends on how you define security. If security for you is a measure of segregation capabilities then containers are not quite there yet. If you take a step back and look at the bigger picture and consider the many pockets where security must usually go, then you come to interesting insights!
Applications deployed in containers are more secure than applications deployed on the bare OS
In short, despite the challenges, Gartner believes that one of the biggest benefits of containers is security. Gartner asserts that applications deployed in containers are more secure than applications deployed on the bare OS and, arguably, on a VM. Although containers will not prevent applications from being compromised, they greatly limit the damage of a successful compromise because applications and users are isolated on a per-container basis so that they cannot compromise other containers or the host OS — as long as a kernel privilege escalation vulnerability does not exist on the host OS.
But the rabbit hole is very deep
The notion of “an application” is also very much in flux from something monolothic that resides in a fixed spot to something distributed that is elastic and dynamic. Docker is a great basis for micro service based architectures where an application is distributed over several (many?) containers that need to communicate with each other.–But what does that mean in terms of security?
Furthermore it is not some magical secure cargo, but software that lives in containers and security gaps ultimately are caused by suboptimal software. Docker and the third party security vendors around it have recognized this and start to address security of applications deployed in Docker containers during the build phase and the run phase of the lifecycle.
But it goes even deeper . . . what is with traditional network security? Load Balancers? ADCs?
Many of this is covered by startups. Startups to watch when it comes to secure Docker are
and micro service routing platforms, such as Vamp
I have investigated all this in my new research note titled “How to Secure Docker Containers in Operation” and want to encourage Gartner clients to read it and engage with me to discuss the results.