NFV Projects & Standards NEWS

What's New in Container Security

By Paula Bernier July 08, 2016

Container technology, and a startup called Docker that has played the starring role in moving it forward, have recently blasted on to the networking scene to grab a lot of attention and capture some very respectable business. But one of the challenges to container and Docker adoption becoming even more widespread has been discussion about the technology’s shortcomings in the area of security.

However, both Docker and other companies, like Twistlock, which just garnered $10 million in a Series A round, continue to innovate on the container security front.

In a recent email interview with me, Docker said that the Docker platform is the most secure container runtime available today (see chart below). Current versions of Docker (1.11 and later) support AppArmor, cryptographic image signing, end-to-end cryptographic signature validation, granular control through the use of cgroups, SELinux (mandatory access control), seccomp (syscall restrictions), and user namespaces (root in the container without privileges on the host). 

At DockerCon 2016 this summer, Docker introduced Cryptographic Node Identity. With it, each node (machine) in a cluster has a unique identity,  allowing for workload segregation. That means that payment card workloads could be dispatched to only certain machines that have undergone a rigorous auditing process, as one use case example. Docker at the Seattle event also introduced a cluster management system that enables end-to-end encryption by default, mutual TLS authentication (to prevent against man-in-the-middle attacks), and certificate rotation (to recover from compromised credentials).

“Criticisms of Docker security typically refer to very old versions of the Docker Engine (1H 2015),” the company added. “Docker has been focused over the last year on addressing the three key areas of container security: secure access, secure content, and secure platform. The isolation and containment features are not only built into the Docker Engine but also enabled out of the box. These features allow you to have trust over the origin of your content, reduce the attack surface area of the Linux kernel, improve the containment capabilities of the Docker Engine, and ultimately help you build, ship and run safer applications.”

As for Twistlock, it provides vulnerability management, access control, and runtime protection for containers, across the entire container lifecycle.  

“Container management, networking support, and security all have room to innovate,” Twistlock Inc. CEO Ben Bernstein said in an interview with TMC earlier this year. “For container management, deploying of containers is being taken care of, but remediation, re-deploying of updated containers in a seamless workflow, is still challenging. Container networking support, especially in terms of policies, is fairly nascent. We obviously love the direction of container security innovation, and [are] happy to be one of the enablers. We think containers actually will have a profound impact on how security is achieved in the future – runtime security and software security are increasingly being blended together, which will actually make security more efficient and more effective.” 




Edited by Stefania Viscusi

Executive Editor, TMC

SHARE THIS ARTICLE
Related Articles

What's New in Container Security

By: Paula Bernier    7/8/2016

In a recent email interview with me, Docker said that the Docker platform is the most secure container runtime available today (see chart below). Curr…

Read More

ADVA's Latest Demarcation Products Pass EANTC Interoperability Testing

By: Christopher Mohr    3/16/2016

ADVA recently announced that several of its demarcation technology and synchronization equipment products passed interoperability testing conducted by…

Read More

Linux Foundation's OPEN-O to Create Framework and Orchestration for NFV & SDN

By: Paula Bernier    2/25/2016

The Linux Foundation this week announced its intention to develop an open source framework and orchestration for network functions virtualization and …

Read More

DartPoints Picks ADVA for NFV

By: Paula Bernier    2/23/2016

A month after announcing the acquisition of Overture, and a week after announcing the launch of a new division and product suite focused on NFV, ADVA …

Read More

A New Open Source Approach to NFV With ETSI

By: Steve Anderson    2/22/2016

Network functions virtualization (NFV) has seen plenty of growth in a very short time, and now, thanks to a new development from the European Telecomm…

Read More