Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

Disrupting the Disruptor: Security of Docker Containers

Docker Security: How Secure are Containers and Will Security be a Hurdle to Container Adoption?

Docker Security: How Secure are Containers and Will Security be a Hurdle to Container Adoption?

In 1897, physiologist René Quinton completely replaced the blood of a live, abandoned dog with seawater in an experiment to prove the theory that the chemistry of mammalian blood is formulated from ocean water, with which it shares many properties including salinity and acidity. Ancient life forms co-opted other primitive life forms in a symbiotic state to harvest oxygen from seawater. When the advanced life forms moved out of the ocean, they brought forward those primitives with them to maintain the seawater within themselves. Isn’t it bizarre that, millions of years later, we still carry around our own seawater and all its supporting apparatus?

In the digital age, we have brought forward similar primitives into our computing clouds: virtual versions of desktop operating systems from the 90s: Windows, BSD and Linux. It’s bizarre because these bulky, inefficient virtual guest operating systems are just supporting apparatus for an application.

But now a form of virtualization called containers may obsolete virtual operating systems. Containers are host processes that have advanced support for multi-tenancy and privilege isolation. Applications can run inside a container more efficiently than inside a whole virtual operating system.

And just as VMware rode the wave of operating system virtualization to fame and fortune, there’s a new company named Docker riding the popularity of containers. Docker is fast becoming synonymous with container technology and as a result is the new open-source debutante that everyone wants to date.

So will containers replace traditional operating system virtualization in the same way that virtualization has replaced much of the physical, bare-metal world? And how secure are containers, anyway? Will that be a stumbling block to container adoption?

Diagram of Docker Technology

A recent Gartner analysis of Docker security largely gives Docker security a thumbs up (while noting shortcomings in management and maturity). Because the overall concept of cloud security has already been accepted, the argument now is just about the level of protection. We’re probing the mechanics of the immune system, not deciding whether the concept lives or dies. The Gartner analysis for Docker security reiterates some of the main points from Docker’s own security page.

Virtualization security has migrated into the host operating system. Linux and Microsoft kernels have been providing more support for virtualization in every release. The LXC (Linux container) and userspace file systems secure the containers at the host operating system level. This helps traditional virtualization as well and enables containers to focus on efficiency.

• A container system has a smaller threat surface than the traditional virtualization system. Because containers consolidate redundant shared resources, there will be fewer versions of Apache (and its entire mod ecosystem) to attack, and fewer processes to manage. A smaller attack surface is always a good thing.

Process security controls will be applied to containers. Process security is an ancient black art: easy to misconfigure, often disabled, and it often doesn’t do what you think it should. But the underlying technology should only get better.

On a fundamental level, container security is equivalent to hypervisor security. If you can suspend your disbelief about security to the point where you accept the additional layer of risk because there is no “air gap,” then you’ve got to be good with both hypervisors and containers. Sure, Docker is not as mature as VMware, but that’s just one parameter in your equation—as container security matures, the reduced threat surface may lead to fewer vulnerabilities than full virtual machines.

Docker is already supported by the major cloud infrastructures: Google, Amazon Web Services, IBM, and now Microsoft. The promise of container efficiency is leading some to predict that containers will eventually replace traditional virtualization systems. The ability to spin up containers in a second or less means they will proliferate to deliver their value and then disappear, allowing the underlying operating system to boost the efficiency of the application’s circulatory system.

Perhaps there is a Dr. Quinton right now running an experiment to see how effectively containers may replace the traditional virtual system. And just to fully close the loop and put your mind at ease, in the dog experiment, the dog whose blood was replaced with seawater was incredibly ill—close to death, actually—but then fully recovered in a week’s time. Happy ending.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Orca Security published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...