Security questions recently have been raised about Docker, a promising technology for running applications in the cloud. Docker is an open source initiative that allows applications to be run in containers for flexibility and mobility only dreamt of in the past.
“Since the 70s, programmers have been talking about reusable code and the ability to migrate applications,” noted IDC analyst Al Gillen.
However, “that’s a dream that’s never been realized,” he told LinuxInsider.”One of the things that’s been the Holy Grail of application development for the last 40 years has been the ability to run an application on any device.”
Docker has the potential to do that.
“Docker is a way of packaging an application with all it needs to be operational, so it can be dropped into any environment running the Docker interface,” Gillen explained.
Security QuestionsBecause of its promise, Docker has been gaining tremendous momentum over the last 12 months.
“I’ve never seen so much industry excitement around something that was so new,” Gillen said.
However, if that excitement is to be translated into enterprise deployments, Docker will have to improve its security.
“Its security is not that bad, but it lacks secure management,” Gartner Security and Risk Management Research Director Joerg Fritsch told LinuxInsider.
“Containers managed by Docker are effective in resource isolation,” he wrote in a report on Docker security released last month, just before DockerCon EU in Amsterdam.
“They are almost on par with the Linux OS and hypervisors in secure operations management and configuration governance,” Fritsch pointed out. However, “they disappoint when it comes to secure administration and management, and to support for common controls for confidentiality, integrity and availability.”
Addressing security can be complicated. When a container is running on a local on-premises system, an enterprise can ensure that it’s behaving by its security rules. That’s not the case once the container is distributed in the cloud.
“To run a Docker package in a cloud provider, you have to ask a lot of questions,” said Nick Stamos, cofounder of nCrypted Cloud.
“The security gets a lot more complicated, especially in trying to deal with what the provider is doing and who you’re potentially sharing a machine with,” he told LinuxInsider.
It’s not surprising that new technology like Docker may not be four-square on security, but that’s likely to change.
“Containers don’t have built-in security elements, but that’s not to say that we’re not going to see that,” IDC’s Gillen said. “Because it’s seen as an impediment to growth, I suspect that we’ll see the industry address that sooner rather than later.”
Some movement already has been seen in that area. For example, Waratek makes a program called “Locker” that monitors activity between a Java application and the Java engine so infected apps can be shut down. Since around half of all Docker containers are running Java workloads, Locker can be a valuable tool for securing apps within a container.
“Docker provides the transport layer and standardization, and Locker inside the container makes the Java element secure,” Waratek CEO Brian Maccaba told LinuxInsider.
Another security solution for Docker was introduced Tuesday by CloudPassage. It has expanded its cloud security offering to cover containers, to give operators real-time visibility and comprehensive enforcement of security policies for virtual infrastructure at the container level.
“The folks at Docker have done a lot to reduce its attack surface by creating a very small container,” CloudPassage CTO Amrit Williams told LinuxInsider. “The issue isn’t so much Docker security as it is extending the visibility and control that folks in a large organization would have over Docker containers running in a production environment.”
A current problem with Docker is that it’s difficult to configure a container so it’s secure.
“What we want to make sure is that when we deploy thousands or tens of thousands of these containers, all of them are adhering to corporate policy as they’re configured,” Williams said.
“About 90 percent of external cyberattacks aren’t super sophisticated,” he added, “it’s that they take advantage of things that administrators could have done properly — for example, misconfigurations and not installing patches in time.”