Andrea Danti - Fotolia
Asking a security expert about all of the potential security exploits that might exist in your production systems is like watching the movie Jaws immediately prior to taking a dip in the ocean: It's going to fill your head with irrational fears and make you gun-shy about pulling the trigger on a completely safe, secure and rational new approach to software acquisition and application development.
I made this mistake while talking to vendors about Docker security at DockerCon 2016, with Elijah Zupancic, director of solutions engineering at Joyent Inc., based in San Francisco, providing a soundtrack to the software security horror story.
Docker itself is secure, and properly using container namespacing and other standard techniques make it even more so. But that doesn't mean the software being containerized is solid. Where are you pulling your libraries from? Are those open source libraries secure? Are they vulnerable to man-in-the-middle attacks? These are just some of the fundamental questions Zupancic said all software developers should be asking themselves, regardless of how they are packaging their applications. But the issue becomes even more complex the deeper one delves into the container world.
Out with the old, in with the new
One of the Docker security problems -- especially when deploying to a swarm of clustered or networked containers -- is traditional approaches to software security either don't work, are untested or need to be reworked to fit into this new production container model. "No one has really figured out how intrusion defense systems, intrusion prevention systems and firewalls fit in with containerization technologies," Zupancic said. "Those previous security models don't fit anymore, so there's a lot of concern there."
Those previous security models don't fit anymore, so there's a lot of concern there.
director of solutions engineering at Joyent
Even the task of patching a highly automated, container-based deployment model can be daunting. "How do you patch zero-day exploits? What is the process to get that fix out there when there might be hackers knocking at the door?" Zupancic asked. Further compounding the operational issues is the fact that some companies are actually nesting containers within containers -- and even if that hall-of-mirrors type of insanity isn't happening, most hosting platforms deploy containers onto virtual machines, which themselves can have vulnerabilities.
Of course, all is not lost in the world of Docker security. The exhibition hall at DockerCon is replete with vendors who have their own unique approaches to enhancing Docker security. One of the best tools to have been previewed is IBM's Vulnerability Advisor, which not only identifies security issues that may arise from the way software is packaged within a Docker container, but it also has the ability to enforce secure software policies, such as the length and strength of passwords used within the container itself.
Not surprisingly, Joyent's Triton platform addresses this vast swatch of container security concerns in a variety of unique ways -- one of which is by not running Linux, a path that is certainly a departure from the norm at DockerCon.
We are not running Linux. Our kernel is a derivative of Illumos, which is a fork of OpenSolaris," Zupancic said. "And we adopted a containerization technology that is quite mature. We've been using it production for eight years, hosting a multi-tenant cloud." Beyond that, Triton uses a variety of techniques that provide optimum security through zone-based isolation. Triton's containerization technology also runs on bare metal, eliminating the need for a virtualized operating system, which not only eliminates any VM-based vulnerabilities, but also enhances performance by eliminating the need to use hypervisors.
Security is obviously an important issue, and no other requirement has the potential to thwart the adoption of a technology than concerns over its potential to be compromised. But given the focus at DockerCon 2016 on this important, nonfunctional requirement, it's obvious that by performing the requisite due diligence, organizations should have no problem finding a secure platform for their Docker deployments.
What are your biggest Docker security concerns? Let us know.
Find out if you need an IDS or IPS -- or both
Docker Engine simplifies DevOps, from staging to deployment
How to move beyond the virtualization tool with DevOps containers
A guide to the latest in containerization