SDxCentral
Join Log In
SD-WAN 5G Edge 1 IoT SDN NFV Containers Cloud Security AI Data Center Storage APM/NPM Open Source

Log In to SDxCentral

Log in with your email? Forgot your password?
  • Newsletters
  • eBriefs
  • Podcasts
  • Webinars
  • Videos
  • Directory
  • White Papers
  • Resources
  • Use Cases
  • Support

Join SDxCentral and get information tailored to your particular interests everyday.

Join
Sponsored:
Dell EMC Citrix Riverbed

Containers > Containers Definitions > What Is Docker Security & How Do You Use It?

What Is Docker Security & How Do You Use It?

Security in the Linux container platform is an evolving state and, by many assessments, an incomplete one. Container technology arose from the need to run certain workloads in isolation, not so much to protect those workloads but to protect everything else from them which is driving the need for container and Docker security.

Security-related needs triggered the development trend that eventually led to Docker. Although Docker is taking steps to plug potential holes in container development platforms, experts say more work needs to be done before this is considered a mature environment.

Docker Security Risks

The greatest problem large organizations face today when assessing the potential value of adding Docker to their production environments is aligning the security controls and processes they already have in place (plus the compliance mechanisms that pertain to them) with the processes of managing and maintaining a Docker container environment. Compliance guidelines have been made to “mesh” with VMware environments and with private cloud platforms based around Linux. Container environments are so new that adaptation of these guidelines has yet to be fully developed.

From the perspective of a risk manager or insurance analyst, adopting Docker in production is risky enough to be considered potentially insecure – not for any architectural reasons but because such assessors have yet to completely understand Docker or containers.

For now, some organizations have concluded that Docker is too risky to adopt beyond development environments. For its part, Docker Inc. has made efforts to respond to risk managers and skeptics through public demonstrations of how its latest tools and add-ons directly combat known threats, such as container spoofing.

Docker has no inherent “security mechanism.” This does not mean Docker is inherently insecure. It does mean that security practices that pertain to running workloads on operating systems still need to be adapted to apply to Docker.

The greatest concern among security engineers is that the connection between containers and the kernel of the operating system that hosts their daemon is theoretically exploitable. An exploit delivered by way of a container could conceivably attack the kernel of its host, which, if it is not virtualized itself, renders the operating system — and thus the server — vulnerable. Demonstrations of such exploits have been conducted on systems that were left unprotected in the first place by the most basic of security measures, such as stateful inspection firewalls.

Many organizations deploy their Docker environments on virtual machines — rendering the containers’ host kernels virtualized, and thus partitioned exclusively from the processor’s native OS. While this eliminates the threat from one known exploit vector, it also diminishes the performance of containers in production.

Even virtualizing the host kernel may not necessarily protect data centers from another theoretical threat: Since containers communicate with other containers through networking (either through Docker’s native IP port mapping or through SDN network overlays), a container is theoretically capable of executing a denial-of-service attack. A properly implemented SDN could limit the extent of such an attack to the local subnet, although this would assume that the application being hosted by containers has no need to connect to the outside world.

Image Forgery Resistance - Docker Security

Image Forgery Resistance – Docker Security

Encryption-Based Solutions

Docker Inc. has responded to the need for extra protection in these areas by creating a system called Content Trust, which encrypts and digitally signs containers (and all other content) pushed to its Docker Hub registry, as well as other Docker registries, including private registries.

Organizations can use this mechanism to automatically constrain any container running in a production environment to be based on an image whose constituent parts, including its master pulled from the registry, are digitally signed and verifiable (see Figure 1). This way, they know they’re not running containers that have been tampered with from the outside, and they can rely upon the good standing of the institutions that signed their images to begin with.

Some security experts have warned against relying on this method, or on any method so highly leveraged on encryption, as a full solution to the broader issue of container security. They say it can merely shift the single point of failure to whatever organizations choose for their key management systems. However, there is little or no argument against the use of any encryption whatsoever.

In November 2015, Docker Inc. addressed the issue of key management by announcing support of YubiKey, a physical, USB-based digital key manufactured by Yubico. YubiKey can be used in conjunction with an access control system that verifies the physical presence of the user logged in at a particular terminal. Operations involving the acquisition, composition, and deployment of containers may be restricted to individuals whose YubiKey is accessible to the host kernel. YubiKey is one more example of the types of vigilance-based methods upon which modern container security currently relies.

Related Definitions

containers-basics
Container Basics and an Update
Software Defined Everything Pt. 7: Infrastructure Form Factors & Delivery ModelsHow Does Container Networking Work? DefinedWhat are Containers (like Docker Linux Containers or Software Containers)?What is Docker Container? Pt. 1: The Docker Open Source ProjectWhat is an OpenDaylight Controller? AKA: OpenDaylight Platform
SDxCentral Daily News

Join your Peers! Subscribe to SDxCentral's Newsletter

Subscribe to Get the Daily News!

Related Definitions

  • Container Basics and an Update
  • What is the Docker Platform and Container Components? Definition
  • What is Docker Container? Part 2: How Docker Containers Work
  • Containers vs VMs: Which is better in the Data Center?
  • How Does Container Networking Work? Defined
  • What are Containers (like Docker Linux Containers or Software Containers)?
  • What is Docker Container? Pt. 1: The Docker Open Source Project

About SDxCentral

  • Newsletters
  • About Us
  • Contact Us
  • Work With Us
  • Editorial Team
  • Careers
  • Legal
  • Support

Engage With us

This material may not be copied, reproduced, or modified in whole or in part for any purpose except with express written permission from an authorized representative of SDxCentral, LLC. In addition to such written permission to copy, reproduce, or modify this document in whole or part, an acknowledgement of the authors of the document and all applicable portions of the copyright notice must be clearly referenced. All Rights Reserved.

© 2012-2019 SDxCentral, LLC, All Rights Reserved. SDNCentral™, the SDNCentral logo, SDxCentral™, SDxCentral logo, SDxNews™, SDxTech™, SDx™, the SDx logo, and DemoFriday™ are trademarks of SDxCentral, LLC in the U.S. and other countries.

  • Terms of Service
  • Privacy