Gartner Gives Thumbs Up To Docker Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud // Infrastructure as a Service
10:50 AM
Connect Directly

Gartner Gives Thumbs Up To Docker Security

Docker containers isolate resources similar to Linux or virtual machine hypervisors, but fall short with management and administration, Gartner analyst says.

8 Germ Hotspots In The Office
8 Germ Hotspots In The Office
(Click image for larger view and slideshow.)

The logical resource boundaries established in Docker containers are almost as secure as those established by the Linux operating system or by a virtual machine, according to a report by Gartner analyst Joerg Fritsch.

However, Docker and Linux containers in general fall short when it comes to container management and administration, Fritsch said in his report, "Security properties of containers managed by Docker." That is, while a container ensures secure use of compute resources, the more mature system and administrative controls represented by a Xen, KVM, or VMware management system offer guarantees beyond proper compute resource utilization. The systems management that can be applied to virtual machines and operating systems grants visibility into operations, tracks changes, and can require proper authorization for certain actions.

The absence of such controls in today's container systems means container operations security can't be guaranteed. In that sense, VMware's warnings that the only safe container is one operating in a virtual machine still applies. But the Gartner study suggests that somewhere in the not too distant future, that dictum may no longer prove true.

[Want to learn more about how Amazon sees Docker containers? See Amazon's Container Strategy Examined.]

Fritsch's key finding: "Containers managed by Docker are effective in resource isolation. They are almost on par with the Linux OS and hypervisors in secure operations management and configuration governance."

Another way of saying that is the server memory allocated to one container won't end up inadvertently being used by another container, and the same goes for other resources. That is, if the container formatting system sets logical limits and boundaries, they will be enforced by the Docker system.

At the same time, Fritsch added this warning: Docker containers "disappoint when it comes to secure administration and management and to support for common controls for confidentiality, integrity, and availability."

(Source: Charles LeBlanc)
(Source: Charles LeBlanc)

That didn't prevent Fritsch from concluding that Docker containers are suitable for multi-tenant, platform-as-a-service type operations. PaaS is usually a development and test environment in the cloud used by developers from different and sometimes competing companies. Fritsch stopped short of saying containers were suitable in multi-tenant, infrastructure-as-a-service operations. In such a setting, it's understood that one competitor's production applications and confidential data may be operating alongside a competitor's, and containers don't offer enough assurance that malicious code in one system won't be able to intrude on the operations of another.

"Linux containers are mature enough to be used as private and public PaaS," Fritsch wrote. But he added the warning, "In mixed environments -- across multiple trust levels, security zones, or potentially hostile tenants -- additional safeguards such as SELinux should be configured." SELinux (security enhanced Linux) limits an application's access to files and network resources. It may only access the minimum required to do its work and will be shut off from other resources if renegade code in the application instructs it to access them.

The Gartner report takes a step toward confirming that Linux containers in general, and Docker in particular, are not only lighter-weight forms of application isolation than virtual machines, but secure ones as well, as far as internal operations for a given operating system are concerned. They're lighter weight because they share the host server's operating system's kernel. In a virtual machine, each application is combined with its own operating system. As a result, powerful servers that can run dozens of virtual machines can run hundreds of containers, resulting in greater compute density.

Fritsch recommended that Docker users realize they're venturing onto new territory in large-scale container operations. "Recognize the inherent complexity and evolving art," he advised. Start with limited, basic deployments and let some de facto standards for container management emerge. Software-defined networking will also require standards for working with containers to ensure secure operations.

The Docker Platform, Google's Kubernetes open source project, and CoreOS's open source Rocket project may all contribute to future container administration and management, but they are also young initiatives.

In the meantime, container users can set boundaries on what tenants in a multi-tenant cloud environment might do while accessing a container host by relying on nsenter, a tool that limits interactions between a tenant and the tenant's containers. Currently, other methods are used as approximate ways of limiting tenant access, with varying drawbacks and results, wrote Fritsch.

Apache Mesos can be used for deploying and managing containers at scale, he said. Mesos is open source code for running a cluster hosting containers.

Container security remains a hot topic, as companies consider their potential for running production systems. The many shared resources, particularly the host operating systems that containers use, make any flaw in their operations a potentially great security exposure. In November, a flaw was discovered in previous versions of Docker that allowed malicious code to gain unassigned privileges and pull files it wasn't meant to see. The only way to correct the problem was to upgrade to the latest version of Docker.

Apply now for the 2015 InformationWeek Elite 100, which recognizes the most innovative users of technology to advance a company's business goals. Winners will be recognized at the InformationWeek Conference, April 27-28, 2015, at the Mandalay Bay in Las Vegas. Application period ends Jan. 16, 2015.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/20/2015 | 8:14:42 AM
Re: Not the final word, but a step in the direction of full confidence
@warateck, to answer the question of thinking that portable secure containers are a good way to run your apps in the cloud I'm going to go with yes, but with the understanding that it's not a set it and forget it situation.  As the blog post mentioned VM hypervisors aren't perfect either but we trust them because we know the most likely methods of compromising them and we take actions to prevent that.  Using Docker to build your app and push it out to the cloud should be treated the same way.  If you build your app then never do any checking up on it, and ignore vulnerability reports then you're no better off but if you keep those things in mind as Gartner reported it can be safe.
User Rank: Apprentice
1/19/2015 | 5:50:49 AM
Re: Not the final word, but a step in the direction of full confidence
Charlie as you say here, and also one of the issues not discussed in the Gartner report, is that Docker does not limit access to root processes or system vulnerabilities. In other words, application security controls are still necessary when using containers. One way to address this problem is to put Runtime Application Self-Protection (RASP) inside the container. This enables an approach we call Bring Your Own Security (BYOS), since security controls follow the applications regardless of where they are deployed and performs activity monitoring, policy enforcement and attack blocking at runtime. It enables organizations to protect applications in the cloud and containers against exploits that target vulnerabilities in third party libraries and malicious activity including SQL Injection, abnormal file manipulation or unexpected network connections. Do you think that portable secure containers are a good way to provide confidence when running your apps on the cloud?
User Rank: Strategist
1/14/2015 | 9:04:07 PM
How big a worry is management
@Charles: The Garnter analyst notes "Docker and Linux containers in general fall short when it comes to container management and administration."

In light of that, what advice do you have for enterprise users as they consider their options?
Charlie Babcock
Charlie Babcock,
User Rank: Author
1/14/2015 | 2:12:25 PM
Not the final word, but a step in the direction of full confidence
This doesn't resolve the issue of container security once and for all, but it's a step in that direction. The formatting provids a strict logical boundary around the application and won't be violated, even though other applications are using shared memory on the same server.
10 Top Cloud Computing Startups
Cynthia Harvey, Freelance Journalist, InformationWeek,  8/3/2020
How Enterprises Can Adopt Video Game Cloud Strategy
Joao-Pierre S. Ruth, Senior Writer,  7/28/2020
Conversational AI Comes of Age
Guest Commentary, Guest Commentary,  8/7/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
Special Report: Why Performance Testing is Crucial Today
This special report will help enterprises determine what they should expect from performance testing solutions and how to put them to work most efficiently. Get it today!
Flash Poll