Kit Wai Chan - Fotolia

Swarm mode features buzz around Docker security concerns

Security concerns have held containers back from production in the enterprise, but IT pros see Docker secrets as a step forward in that area.

Enterprises with Docker security concerns now have a new option to deploy secure containers with Docker secrets management.

The new Docker security tools for container-native secrets management pertain to passwords and other credentials such as application programming interface and encryption keys that are referenced by applications in a secure environment. They include open-source components available to anyone running Docker 1.13.1 in swarm mode as well as commercial components available to users of Docker Datacenter. Open-source tools include an encrypted store for data at rest, TLS encryption for data in transit, and least-privilege secret distribution. Commercial features for Docker Datacenter include role-based and policy-based access control and a management user interface.

Least-privilege secret distribution -- which allows multiple tenants sharing a container cluster to access only the keys they need -- is a feature Docker swarm can claim over its chief rival. Kubernetes does not yet natively allow control over which users of a cluster can access a secret in its most recent releases, though the feature is said to be planned.

DevOps consultants that work with Docker in enterprise environments praised Docker secrets as a big step forward for container technology as it moves toward mainstream production.

"It's a critical component that has become more and more important as development work spreads across a larger number of systems," said Brandon Cipes, managing director of DevOps at cPrime, an Agile consulting firm in San Francisco. "They perhaps could have done a bit more to integrate with larger key-store [products] instead of building something internal, but it's a good move overall."

One such integration Docker should consider is with the Key Management Service from Amazon Web Services, which is popular among its clients, Cipes said.

Google is focused on such third-party tool integrations in Kubernetes, said a source close to the project. Red Hat's OpenShift offers some additional container security features on top of Kubernetes, for example.

Third-party specialized tools, such as HashiCorp's Vault, offer fine-grained policy controls, meanwhile, but not as a feature of the container interface and lifecycle. This gives Docker a differentiation with its secrets management embedded into native Docker security tools.

Still, some Docker customers who have also used Kubernetes' security features now lean toward Vault, as Vault specializes in security and can also manage secrets for container hosts as well as other aspects of the infrastructure. Vault includes security features such as key rolling and audit logs. A Google engineer has also developed a tool that automates the creation of Vault tokens in Kubernetes for users going this route. "Getting security, auditing and compliance right is a specialized job that doesn't get the attention it needs," said Michael Bishop, CTO of Alpha Vertex, a financial technology startup based in New York.

Ultimately, though, the bottom line is that Docker is doing the right thing by working with large enterprise customers to address security concerns, said Jay Lyman, analyst at 451 Research.

"They're also going with a security management focus without stepping on too many toes in the ecosystem," Lyman said, citing work Docker has done with partners such as Twistlock and Aqua Security for container runtime protection.

Docker security tools debate emerges

Is it a good idea to store secrets in containers? There's some disagreement about that.

Google engineers in public presentations have argued strongly against putting secrets into container files themselves. Docker is all about transportable code, and containers may be publicly inspected, exported or published, depending on the environment, they said.

Docker, meanwhile, sees advantages to putting secrets in containers. An alternative option to transmit secrets is to embed them in app code, which could lead to their exposure on public forums, such as GitHub.

This is a philosophical debate that will only grow hotter as Docker secrets management goes with a container-native approach, analysts said. And as with most technical debates, there are pros and cons on both sides as IT pros look to address Docker security concerns.

"It's similar to the agent versus agentless debate in software," Lyman said. "Both have their merits."

When security travels with the container, it means it inherits policies from a higher ordered system, said Rob Stroud, an analyst at Forrester Research. The challenge is that system must have consistent access to the infrastructure and root access to that overall management system must be controlled carefully.

But with security as a feature of the container, it can be monitored and made consistent through inherent container management designs, and regenerated quickly in case a problem needs to be corrected, Stroud said.

"The integrity of the container can be validated at all times," he said, adding that both the container-native and app-embedded approaches to Docker security tools "are equally loved and hated."

Beth Pariseau is senior news writer for TechTarget's Data Center and Virtualization Media Group. Write to her at [email protected] or follow @PariseauTT on Twitter.

Next Steps

Containers and microservices change the way IT operates production systems, from security to networking to storage and more. While this creates a daunting task, IT shops can learn from others who have put Docker into production and those who stood up Kubernetes.

Dig Deeper on Managing Virtual Containers