Gartner Report Evaluates Docker Container Security

Add Your Comments

Docker, a rapidly growing open-source application container project, is fairly secure overall despite a few shortcomings and a current drought of tools to deal with enterprise needs, according to a new research note from IT consultancy Gartner.

Joerg Fritsch, the author of the report “Security properties of Containers managed by Docker”, wrote in a blog post: “Security properties of containers are a largely unexplored field and there is a lot of controversial discussion about whether containers do contain or not.”

He notes that IT personnel may be motivated to either highlight Docker’s security strengths and weaknesses.

Attempting an impartial viewpoint, he wrote that its “containers are mature enough to be used as private and public PaaS.”

According to Docker itself, Docker containers have similar security features as LXC containers. It recommends running processes inside the containers as non-privileged users in order to avoid granting root access, and limiting access to the Docker daemon.

There are also hardening solutions available such as Apparmor, SELinux, and GRSEC, or even implementing security features in other containerization systems with Docker, since everything is provided by the kernel anyway.

Fritsch recommends using SELinux and AppArmor to run Docker.

Fritsch notes, however, that Docker has shortcomings around secure administration and management, and that common controls for confidentiality, integrity and availability would be ideal.

Additionally, he notes that running Docker within a guest server on top of a hypervisor adds resource isolation but doesn’t necessarily make things more secure. Furthermore, this adds complexity which needs to be managed separately and could make things like software-defined networking difficult.

Some other shortcomings come from the fact that the ecosystem of tools is immature, noting a lack of tools for encryption at the container level, that there are no live migration tools (like with Parallels’ Virtuozzo), and that security companies aren’t offering endpoint container protection.

An article from news site The Register notes that Fritsch gave Docker an overall positive review, but that enterprise users (as well as infosec and governance professionals) will want to see some of these shortcomings disappear in 2015.

Launched in March 2013, Docker has been wildly popular as a way to help developers package their applications to run on a range of server and cloud environments. And in less than two years, it has become widely used by organizations transitioning their existing applications to the cloud.

Many service providers have tailored their services around Docker. For instance, last week, backup and recovery software provider Asigra extended enterprise-class cloud backup to Docker-packaged applications. Additional security could be another major area for developers to expand the open-source Docker platform.

Add Your Comments

  • (will not be published)