cutimage - Fotolia

Docker security updates aim to sway IT pros

Docker has added greater control for IT ops and new container security tools, along with its containers as a service offering.

Building on the tremendous momentum among developers for its open source container project, Docker put its focus on IT operations, as it aims to be an end-to-end provider for the enterprise market.

Docker Inc. released a series of enhancements this week at its DockerCon developer conference in Barcelona, Spain, aimed at lifecycle management of distributed applications, including new security features and a control plane that puts the company in the increasingly crowded containers as a service space.

The primary focus of Docker has been on the developer so far, so it's interesting to see so much attention being paid to IT operations, said Jay Lyman, research manager at 451 Research LLC in New York. It also points to some degree of maturation in the market, as Docker has more and more interactions with large enterprises and potential customers.

"It's Docker addressing more of that enterprise IT shop operations and central IT teams, as they contemplate application containers in a sanctioned way -- in a way that meets all the different compliance and security requirements," Lyman said.

Docker is doing what it needs to address enterprises' security concerns, but there's still a long way to go before containers are seen as being as secure as VMs, especially for multi-tenancy, Lyman said.

"There's a high bar for containers to meet, given the tooling and management and security, and also the credibility that exists around VMs," Lyman said. "Enterprises aren't foolish, but I think there's an expectation that containers have nearly all or all of the capability features and security enhancements that VMs do, and the fact of the matter is they just don't."

Docker security tools center on hardware

Among the new features is hardware signing, which works across any infrastructure and allows for the digital signature of code during development and subsequent updates. It builds on the Docker Content Trust framework for image-publisher verification, along with new image scanning and vulnerability detection of official repos for better understanding of what is inside a container.

There's a high bar for containers to meet, given the tooling and management and security, and also the credibility that exists around VMs.
Jay Lymanresearch manager at 451 Research

Namespaces was another Docker security update rolled out this week. It allows IT operations to assign privileges for containers based on user groups, which restricts access to the root on the host to designated system administrators and limits groups' access to designated services.

Image scanning is available for all official repos on Docker Hub, while namespaces and hardware signing are available in Docker's experimental channel.

Security concerns remain the biggest hurdle to container adoption, especially if the volumes of containers are portable, said Larry Carvalho, research manager at IDC in Framingham, Mass. Addressing that through the hardware is a smart move, because it's generally more difficult to break into and it offers efficiencies for the high numbers of containers that will be used in the future.

"That's one of the things they should have addressed because of the volumes," Carvhalho said. "You can't really do a lot of the security on the software level, because it would be way too much of an overhead."

Docker containers as a service matures

Docker is also building on its paid containers as a service offering that started to take shape earlier this year with the acquisition of Tutum.

The latest addition is a Universal Control Plane, on-premises software in beta that maintains the self-service model for developers while creating a framework for managing infrastructure and deciding which data center the workloads run in. It allows operations to decide which cloud the container service runs on, control how applications are clustered and scheduled, and configure networking and storage across environments.

Containers as a service sits somewhere between infrastructure as a service and platform as a service. The Docker flavor has its advantages in that it's not tied to an infrastructure like Amazon EC2 Container Service, and it's not overly focused on operational control and limits on languages at the expense of the developer experience, according to Docker.

It's also not alone, as startups such as Shippable Inc. offer similar services, Lyman noted. And it's not surprising either, as it allows Docker to continue to highlight portability -- one of the key draws to containers -- as vendors new and old scramble to offer services that appeal to enterprises.

"It's still a little bit of a Wild West in terms of where does the large enterprise go for support for the software," Lyman said.

Trevor Jones is a news writer with TechTarget's data center and virtualization media group. Contact him at [email protected].

Next Steps

What to know about Google's latest Container Engine updates

Evaluating the security of Amazon EC2 Container Service

Tools and best practices for securing Docker containers

Dig Deeper on IT Ops Implications of Continuous Delivery