Run Apps In Docker If You Want Application Security
Often, new technologies raise security concerns. However, two reports claim it’s safer to run applications inside containers than outside of them.
When any new technology appears on the scene, security is typically a barrier to adoption. When it comes to Docker containers, though, two organizations now are making the claim that security should be a driver of adoption.
Analyst firm Gartner and cyber-security specialist NCC Group have published research detailing the container security landscape.
“The significant piece of this is that Gartner is at the point where they think applications are more secure running in Docker containers and are communicating this out to their enterprise users,” Nathan McCauley, director of security at Docker Inc., told eWEEK. “It is significant in combination with the NCC Group report, which recognizes Docker’s leadership in the area of container security.”
Docker security
Gartner analyst Joerg Fritsch wrote that an application that is deployed in a container is in fact more secure than the same application running on a bare-metal operating system because “applications and users are isolated on a per-container basis so that they cannot compromise other containers or the host OS.”
The NCC Group report stated that “from a security perspective, [containers] create a method to reduce attack surfaces and isolate applications to only the required components, interfaces, libraries and network connections.”
McCauley published a blog post on Aug. 23 that included a chart showing some of the key security features enabled by Docker and how it compares to other container options.
Among those features is a capability called seccomp filtering that was first added to the Docker 1.10 update that came out in February. Seccomp is a technology that is integrated into the main line of the Linux kernel to provide granular security control.
Containers
The most recent release of Docker is version 1.12, announced at DockerCon in June.
“The Gartner report already takes into account 1.12 security features, which include built-in certificate authority, mutual TLS [Transport Layer Security] authentication and authorization between all nodes as well as cryptographic node identities,” McCauley said. “In particular, cryptographic node identities are one of the fundamental building blocks that will enable future security features.”
The fact that Docker has multiple levels of security doesn’t mean, however, that all Docker users are secure by default. Properly securing a Docker container environment involves making use of the security capabilities that Docker provides as well as best practices for configuration. That’s the rationale behind the Docker Bench tool released in May 2015. Docker security has improved since then, and Docker Bench is set to keep up.
“We are updating Docker Bench to take advantage of the new orchestration features that shipped in 1.12 and continue to update our sysbench release for every benchmark that comes out,” McCauley said.
Originally published on eWeek