Docker Tightens Security Over Container Vulnerabilities - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud // Platform as a Service
11:06 AM
Connect Directly

Docker Tightens Security Over Container Vulnerabilities

Docker unveils three ways to make containers more secure, especially when code is changed during its update cycle.

Cloud Vs. On-Premises: 6 Benefits Of Keeping Data Private
Cloud Vs. On-Premises: 6 Benefits Of Keeping Data Private
(Click image for larger view and slideshow.)

Docker has added a hardware signing feature, YubiKey, a USB device, for developers of container images and updates to ensure that the code they file to a repository arrives untampered with and intact.

It was one of three major container security improvements added to the Docker Platform announced November 16 and 17 at DockerCon Europe in Barcelona.

Docker has already implemented The Update Framework (TUF), a method of confirming that a digital signature applied to a container image in a repository matches the signature on the code arriving at an enterprise's Docker system. TUF is tougher than mere public key encryption because it can restore the security system's integrity, even if the signature-assigning server is compromised. Docker calls its system Docker Content Trust.

At Barcelona's DockerCon, Docker announced a new layer in the code- and identity-confirming process. Developers and system administrators can use a keychain fob or YubiKey 4, plugged into the USB port of their laptop or workstation, to upload their unique identifier to the container. As the code moves along its journey to a production system, that identifier continually ensures the recipient that only the intended hands have touched the code.

Yubico's YubiKey 4 is the current state of the art.

Its two-factor authentication requires the device to recognize the user's fingerprint before it will issue the user identification to a containerized application, said Scott Johnston, senior vice president of product at Docker. Even if a developer's Yubikey were lost or stolen, it would be worthless without the correct fingerprint.

(Image: Wavebreak/iStockphoto)

(Image: Wavebreak/iStockphoto)

Two-factor authentication makes it extremely difficult for someone to abduct code in transit or spoof it to deliver malware to the intended recipient, Johnston said.

In another move, Docker has added image scanning to the Docker Hub.

As users assemble container workloads using source code from publicly available repositories such as Ubuntu's, Docker image scanning checks it for correct release number and vulnerabilities. If the code is a release with known vulnerabilities, the downloader and the supplier are notified, with the latter expected to fix it.

With image scanning, "IT organizations can rely on Official Repos (like the Ubuntu repository) as a curated source for secure, high integrity content," Johnston said.

Previously a system admin would have to know what information on vulnerabilities had been published by each Linux distributor and other sources of online code. With Docker Hub providing scans, independent software vendors can now deliver what recipients will regard as secure content because the code origins have been confirmed. The Docker Hub downloads approximately 4,000 containers a minute.

[Want to learn more about Docker's previous moves to shore up container security? See Docker to Defang Root Privilege Access.]

In a third security improvement, Docker's latest 1.9 Experimental release (the early preview version) enables operations managers to assign privileges by user group for each container. For the first time, the containers have been separated from root access on the host. Only the Docker daemon has root access, and that access to the Docker daemon can be restricted to a defined set of system administrators.

In the past, each container had root access to the host, meaning it could access all the host's resources if its code instructed it to do so. By using Linux namespaces to separate the container from the Docker daemon, this old vulnerability in container operations is walled off from further mischief.

In addition, IT operations can establish granular access-control rights, giving explicit permission to certain departments or teams to use certain Dockerized services. This new control prevents one organization from inadvertently being given control over another organization's application services, Johnston said.

**New deadline of Dec. 18, 2015** Be a part of the prestigious InformationWeek Elite 100! Time is running out to submit your company's a pplication by Dec. 18, 2015. Go to our 2016 registration page: InformationWeek's Elite 100 list for 2016.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
Charlie Babcock,
User Rank: Author
11/17/2015 | 1:02:28 PM
Code in motion, accompanied by good scurity
Software security is not just the protection of running systems from intrusions. It's also the protection of code on its journey to becoming a production system. Nowadays, that can be a journey of many miles across continents instead of just across the data center. And Docker is showing it understands how to radically improve protection of code in motion.

10 Ways to Transition Traditional IT Talent to Cloud Talent
Lisa Morgan, Freelance Writer,  11/23/2020
What Comes Next for the COVID-19 Computing Consortium
Joao-Pierre S. Ruth, Senior Writer,  11/24/2020
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
Flash Poll