Docker Security Journey

Home / DevOps & Cloud / Docker Security Journey

I always think of Developers in the enterprise wanting to be able to use Docker as a kind of push me pull you scenario with the business. Sure, use Docker without having to jump through hoops if you are a small start up, but the larger the organisation, the more likely you are to be drowned in container goodness by attending the local Docker meetup.

With security concerns around containers, larger companies have a bit more pen tapping to do when deciding whether container technology is a good idea but last week Diogo Mónica blogged that Docker were deep in the process of addressing security concerns around containerisation with Docker.

As part of that process, Jérôme Petazzoni and I joined representatives from VMware, Rakuten, Cognitive Scale and International Securities Exchange to collaborate with the Center for Internet Security on a benchmark for Docker Engine 1.6. The CIS Security Benchmarks program provides well-defined, unbiased and consensus-based industry best practices to help organizations assess and improve their security.   We believe that unbiased and community driven benchmarks like this are important in providing a set of best practices and recommendations to configure your linux host and the docker engine. Download the benchmark here:

I thought the collaboration partners which are mentioned above could put Docker on a trajectory to be used beyond the standard enterprise and into financial institutions, after all (and I know it is ‘just’ a collaboration), the International Securities Exchange are the guys that peddle in those risky derivatives, security aside, risky at the best of times.

Whilst Docker are ramping up their efforts to reassure users on security, with doubtlessly many new announcements in the pipeline, InfoWorld reported on a company called Twistlock that have come up with a security suite for virtual containers. In talking about where Docker’s deficiencies lie with security, InfoWorld wrote

To counter this, Twistlock provides a slew of monitoring and auditing tools for containers. Aside from monitoring Docker images to identify possible risks, the host is also checked to ensure it meets certain “security baselines” (presumably similar to those outlined by Docker). Audit information can be generated about containers’ contents or about security measures being applied to them at runtime, and security policies can be configured for containers.

I can’t help thinking that the life of Twistlock will be very heavily dependent on Docker’s as yet unknown security offerings.

In the meantime Steven Vaughan-Nichols wrote a great article in ITWorld this week which looked at where the concerns actually lie and left me feeling a little petrified on behalf of some of the companies that are using container technology for their environments. The article describes how whilst Docker will isolate some of the processes running on a host system from an application running in a container, the separation from root level privileges may not necessarily be as distinct as one might think.

..there are more ways to the daemon than from a container. Docker suggests that if you provision Docker containers using web services via an API, you should be extra careful about parameter checking. Since Docker, and other containers, are typically set up using Representational State Transfer (REST) application programming interfaces (APIs), that leaves a lot of potentially vulnerable attack surface for hackers. If you elect to do this, you must use secure-socket layer (SSL) web connections, and making the connection over a virtual private network (VPN) wouldn’t be amiss either.

It also goes on to speculate that before containers are truly ready for production, it could take a disaster or two to get there.

Related Posts