You are here

Docker's Content Trust a good step, but security flagged with containers' move to production

public://pictures/Jaikumar-Vijayan-Freelance-Writer.png
Jaikumar Vijayan, Freelance writer

The security of the Docker ecosystem is coming under increasing scrutiny as more enterprises consider the application container technology for use in production environments. To address some of these concerns, Docker recently introduced Content Trust in Docker Engine 1.8. However, enterprise experience with virtualization technologies has set the bar high for containers.

Jay Lyman, research manager for cloud platforms at 451 Research, says the concerns have to do with the security properties of containers themselves and with the manner in which they're accessed, used, administered, and managed. "Some of the most common Docker and container security concerns we hear about center on multi-tenancy, access management, and image validation."

The State of Analytics in IT Operations

A perfect storm?

"These issues combined sort of present a potential 'perfect storm' for containers, whereby internal users could download a popular Docker image, insert malicious code or back doors, then re-upload the image with a similar name and gain access to production containers," Lyman says.

Docker containers basically allow developers to bundle an application together with all its associated code, runtime, system libraries, and tools in a standalone unit that can run on any platform. Containers are isolated from the hardware on which they run, freeing developers from worrying about system compatibility issues when developing code. Containers enable greater application portability and speed up application delivery.

Over the past year, a growing number of enterprises have snapped up the technology and made Docker a de facto standard in the application container space. But along with this popularity come questions about whether enough security controls exist around Docker to make it suitable for large production environments.

[ Webinar: 5 Things Every SecOps Team Wants Their NetOps Team to Know ]

Laying out the security risk

One major concern with Docker is that applications with root-level access within a container sometimes have the same root access to the underlying operating system. Adrian Mouat, chief scientist at Container Solutions, a software consultancy, explained in a blog post that attackers can gain root-level access to the container if they manage to exploit a vulnerability in the application.

If attackers then manage to break the container's isolation mechanism, they can get root privileges on the host system, Mouat wrote.

The degree of isolation supported by containers is another concern. Application containers share a kernel with the underlying host but have their own runtime environment, process space, and network stack. Multiple containers can run on the same system. Security analysts believe that running applications in a container is more secure than running it directly on a host system. Docker containers make it possible to securely segregate multiple applications running in the same host.

Even so, there are some concerns that having multiple application containers with differing security profiles running on the same system is risky. "Containers managed by Docker are effective in resource isolation," Gartner research director Joerg Fritsch wrote earlier this year in a report on the security properties of Docker containers. "They are almost on par with the Linux OS and hypervisors in secure operations management and configuration governance," Fritsch explains. "[But they] disappoint when it comes to secure administration and management, and support for common controls for confidentiality, integrity, and availability."

Image security boosted by Docker Content Trust

Until recently, the security and quality of Docker images available for assembling applications was another major concern. Developers had little way to verify the origin and the integrity of images available for download from places like the Docker Hub Registry. There was concern that developers, in the rush to containerization, could open up their networks to security risks from insecure images.

In a study earlier this year, container security startup BanyanOps said it found that over 30 percent of repositories in Docker Hub contained images with vulnerabilities that made them susceptible to attacks like Shellshock, Heartbleed, and POODLE. Three out of four of the images created this year had vulnerabilities that were fairly straightforward to exploit with high impact, the study notes.

In August, Docker introduced a new Content Trust feature in Docker Engine 1.8 that goes a long way toward addressing image security concerns. Docker Content Trust is essentially an image signing and verification technology that makes it possible for developers to verify Docker image publishers and to ensure the images have not been tampered with.

"Docker Content Trust does address some of the concerns around application container security, particularly issues around knowing what software components and versions are being used in containers," Lyman says.

Docker's Notary trusted publishing system and The Update Framework (TUF), which are integrated to form Docker Content Trust, help mitigate the risk of developers uploading or downloading insecure application container images, he says.

Standards just emerging alongside move to production

However, Docker and container technologies are only a few years old, so it's not surprising to hear of enterprise concerns around immaturity and lack of documentation and best practices. "Containers are still very immature compared to virtual machines, so there is still some distance to go in closing that gap," Lyman says.

"Most enterprise organizations have come to appreciate the security and tooling around VMs and thus expect the same thing for application containers, which are still fairly fluid in their maturation and present some significant security challenges," he adds.

Jonathan Reeve, VP of product at container operations management firm StackEngine, says that security is a major concern for enterprises seeking to put Docker in production. A lot of these concerns are operational in nature and have to do with issues like access management and control, he says.

Some of the requirements are around who can have access to containers, how to run Docker optimally, and other operational issues. "When I am running it, who is allowed to do what? Who can add networking or load balancing? How do I make sure I run a stateful application? If a Docker host goes down, can I maintain state?'" he asks.

The kind of sophisticated system management and administrative controls that are available in the virtualization space are only just starting to become available in the container ecosystem, Reeve says.

Ready for your security audit?

Auditors haven't begun asking hard questions about containerization security, according to Fritsch's report. But he expects that they will, sooner rather than later. "Containers and their evolving and partially immature controls add complexity and some confusion to compliance efforts," Fritsch wrote. Organizations that are covered by regulations like HIPAA and the Payment Card Industry Data Security Standard (PCI DSS) should be aware of the potential for increased audit scrutiny before putting Docker into production environments, he noted.

451 Research's Lyman adds, "Security concerns around containers are among the biggest hurdles to adoption." This is not too surprising though, given that this was also the case with cloud adoption and other new technologies.

Enterprise experience with virtualization technologies has set the bar high for containers. "It will take time and this is why we see containers mostly in pilot projects, evaluations, and testing and development environments, though there are some Web 2.0, technology startups, and large enterprises that are using containers in production today," Lyman says.