Container technology, and a startup called Docker that has played the starring role in moving it forward, have recently blasted on to the networking scene to grab a lot of attention and capture some very respectable business. But one of the challenges to container and Docker adoption becoming even more widespread has been discussion about the technology’s shortcomings in the area of security.
However, both Docker and other companies, like Twistlock, which just garnered $10 million in a Series A round, continue to innovate on the container security front.
In a recent email interview with me, Docker said that the Docker platform is the most secure container runtime available today (see chart below). Current versions of Docker (1.11 and later) support AppArmor, cryptographic image signing, end-to-end cryptographic signature validation, granular control through the use of cgroups, SELinux (mandatory access control), seccomp (syscall restrictions), and user namespaces (root in the container without privileges on the host).
At DockerCon 2016 this summer, Docker introduced Cryptographic Node Identity. With it, each node (machine) in a cluster has a unique identity, allowing for workload segregation. That means that payment card workloads could be dispatched to only certain machines that have undergone a rigorous auditing process, as one use case example. Docker at the Seattle event also introduced a cluster management system that enables end-to-end encryption by default, mutual TLS authentication (to prevent against man-in-the-middle attacks), and certificate rotation (to recover from compromised credentials).
“Criticisms of Docker security typically refer to very old versions of the Docker Engine (1H 2015),” the company added. “Docker has been focused over the last year on addressing the three key areas of container security: secure access, secure content, and secure platform. The isolation and containment features are not only built into the Docker Engine but also enabled out of the box. These features allow you to have trust over the origin of your content, reduce the attack surface area of the Linux kernel, improve the containment capabilities of the Docker Engine, and ultimately help you build, ship and run safer applications.”
As for Twistlock, it provides vulnerability management, access control, and runtime protection for containers, across the entire container lifecycle.
“Container management, networking support, and security all have room to innovate,” Twistlock Inc. CEO Ben Bernstein said in an interview with TMC earlier this year. “For container management, deploying of containers is being taken care of, but remediation, re-deploying of updated containers in a seamless workflow, is still challenging. Container networking support, especially in terms of policies, is fairly nascent. We obviously love the direction of container security innovation, and [are] happy to be one of the enablers. We think containers actually will have a profound impact on how security is achieved in the future – runtime security and software security are increasingly being blended together, which will actually make security more efficient and more effective.”
Edited by Stefania Viscusi