As DevOps matures enterprises have a need to put critical applications running on Docker Containers into production. Security folks currently have a hard time to decide if their Docker use case is ready to be operationalized. Is it a “go”, a “no go” or do they need to implement additional controls before putting it into operation?
The answer depends on how you define security. If security for you is a measure of segregation capabilities then containers are not quite there yet. If you take a step back and look at the bigger picture and consider the many pockets where security must usually go, then you come to interesting insights!
Applications deployed in containers are more secure than applications deployed on the bare OS
In short, despite the challenges, Gartner believes that one of the biggest benefits of containers is security. Gartner asserts that applications deployed in containers are more secure than applications deployed on the bare OS and, arguably, on a VM. Although containers will not prevent applications from being compromised, they greatly limit the damage of a successful compromise because applications and users are isolated on a per-container basis so that they cannot compromise other containers or the host OS — as long as a kernel privilege escalation vulnerability does not exist on the host OS.
But the rabbit hole is very deep
The notion of “an application” is also very much in flux from something monolothic that resides in a fixed spot to something distributed that is elastic and dynamic. Docker is a great basis for micro service based architectures where an application is distributed over several (many?) containers that need to communicate with each other.–But what does that mean in terms of security?
Furthermore it is not some magical secure cargo, but software that lives in containers and security gaps ultimately are caused by suboptimal software. Docker and the third party security vendors around it have recognized this and start to address security of applications deployed in Docker containers during the build phase and the run phase of the lifecycle.
But it goes even deeper . . . what is with traditional network security? Load Balancers? ADCs?
Many of this is covered by startups. Startups to watch when it comes to secure Docker are
and micro service routing platforms, such as Vamp
I have investigated all this in my new research note titled “How to Secure Docker Containers in Operation” and want to encourage Gartner clients to read it and engage with me to discuss the results.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.