Sergey Nivens - Fotolia
AUSTIN, Texas -- What a difference a year makes, especially when it comes to Docker and security.
One year ago, Linux container security was the chief concern among enterprises that sought to put the new technology into production. At DockerCon here last week, large enterprises instead extolled the virtues -- even advantages -- of containers for IT security, due in large part to recent Docker container security updates.
Improved security was one of the top three reasons to containerize some 400 apps for The Northern Trust Company, an investment bank in Austin, Texas.
The process to patch thousands of VMs was condensed down to a single container image, said Robert Tanner, division manager of enterprise middleware services at the bank, during a presentation at the conference.
The ability to patch container images instead of VMs offers more consistency and allows less room for error, Tanner said. Docker Enterprise Edition also now offers Docker Security Scanning, which creates a security profile for each application in Northern Trust's environment, and assesses vulnerabilities in the app before it moves into production. Docker Notary further authenticates images as they move through Northern Trust's continuous integration/continuous delivery (CI/CD) process.
"It's safe, it's right, we're comfortable," Tanner said of Docker Notary.
Robert Tannerdivision manager of enterprise middleware services, The Northern Trust Company
Docker container security updates will allow genomics analytics company Translational Genomics Research Institute (TGen) to expand into clinical services where patient data is protected by HIPAA, while still using an efficient shared infrastructure.
"Being able to isolate workloads away from the general population means we can run [a clinical] workflow on the same machinery that I'm running my [research and development] R&D on, but will be able to do so in a way risk auditors are comfortable with," said James Lowey, CIO of TGen.
And hotel chain Hyatt has used Docker to establish a DevOps pipeline and also to speed up application development, but the hotelier has also seen security benefits. For example, containers affiliated with one another can be grouped within the same physical server and then that box can be hardened, said Ray Krueger, VP of engineering at Hyatt.
"My [chief information security officer] is excited about locking all the traffic into one box with one front door that can use a reverse proxy," Krueger said.
Docker container security updates take center stage
Demos at the event referenced recent Docker security updates, such as secure node introduction, cryptographic node identity, cluster segmentation and secure secret distribution. New features demonstrated for Docker's SwarmKit included automatic promotion of secure code to production, as well as automated rollback of the container infrastructure after security errors are discovered.
Minimalist operating systems can also be used with containers. With container-optimized OSes, such as those built from Docker's newly launched LinuxKit, all processes including system daemons run in separate containers. Only needed services are run by the OS, so deployment is more secure than with traditional all-inclusive mainstream distros.
"Just by containerizing, I can limit the attack surface [of apps] because I use a minimalist OS," said Northern Trust's Tanner.
Docker container security startups complete the picture
There are plenty of startup companies to fill the gaps in container security where Docker falls short, and enterprises have taken advantage of these new technologies.
For example, Northern Trust's Tanner said his company uses a security monitoring product from StackRox, in Mountain View, Calif.
"They're doing some amazing things in this space, like machine learning and AI in order to figure out how to better protect my world from outside threats," Tanner said.
TGen uses container persistent storage technology from Portworx in Los Altos, Calif. Security features, such as access control lists, audit logs and encryption of volumes that includes integration with HashiCorp Vault or Amazon Web Services' Key Management Service, will help TGen manage clinical workloads.
Other newcomers, such as Aqua Security Software Inc. and Twistlock Ltd., both in San Francisco, have behavior baselining, service whitelisting and security monitoring for containers at runtime. Twistlock rolled out version 2.0 of its platform with a bevy of Docker container security updates, such as runtime visualization enhancements; checks for compliance with .509 keys, SSH keys, AWS tokens and other credentials; and new certificate authentication for organizations that use public key infrastructure.
Docker container security updates have entered mainstream enterprise IT products, such as Red Hat's OpenShift, which rolled out version 3.5 last week. This new version of Red Hat's Kubernetes-based PaaS includes certificate management for containers, along with warnings that certs will expire, and rolling certificate refreshes. OpenShift 3.5 also boasts improved security management with added granularity to determine which user owns which credentials in the container infrastructure.
Progress, but not IT security utopia
Though Docker container security updates have improved patching and minimized the attack surface of apps, not all enterprises are ready to forego extra security precautions with container-based deployments.
"Even if Docker certifies an app as being safe and effective, I'm not risking $11 billion on Docker telling me it's safe," said James Ford, chief architect of strategy at ADP, the HR software company based in Roseland, N.J., which has more than $11 billion in revenues. "We need extra assurance and to prove it to ourselves."
Containerized applications can only be downloaded by ADP developers from whitelisted sources. When the code has been tested and validated and the developer wants to push it into the integration testing process, it first goes through a rebuild and a scan that uses software from Black Duck Software Inc. in Burlington, Mass. Every app also undergoes manual penetration testing before it's released into production, which adds two weeks into an otherwise automated build process.
Ford said he also has reservations about security monitoring startups.
"I want noise reduction for security software," Ford said. "I don't care if I have Heartbleed on a database server, I don't have SSL running there anyway -- tell us when it matters."
Fancy yourself a Docker expert? Test that assertion with this comprehensive quiz
Container security -- focus on the app or on the host machine?
The container storage war rages on