Docker Containers, Security and Compliance
Can you use Docker containers for workloads that require PCI, HIPAA or other compliance? Answer: absolutely. Here’s why.
As Docker becomes an increasingly big deal for enterprises, more compliance questions are arising. Enterprises like technologies that meet compliance requirements. As a new technology, Docker has not yet received much attention from the folks who develop compliance guidelines or the auditors who monitor compliance.
This lag has led some parties to question whether Docker is appropriate for workloads that demand strict compliance. For example, David Tesar cites security and compliance concerns as a reason not to use Docker. In a similar vein, a Gartner analyst wrote last year that containers “add complexity and some confusion to compliance efforts.”
What’s Different About Docker Compliance?
Those statements mostly reflect concern that Docker is not secure, and therefore should not be used by organizations that need to meet compliance goals. That is weak reasoning, however, in two respects.
First, Docker containers are no longer insecure. Security tools, such as Docker Security Scanning, now make it easier to secure containers in a way that can help keep auditors happy.
Second, and more importantly, it is hard to view Docker as a compliance risk when you consider that, from an infrastructure point of view, Docker containers are not actually very different from the technologies that enterprises have been using in production now for years. Docker containers do not present any compliance challenges that organizations don’t already face from traditional virtual machines.
Yes, containers place private data in software-defined environments, where the data’s physical location is more difficult to track. But so do virtual machines. Containers also transfer private data across the network. But again, so do virtual machines. Containerized infrastructure requires tight access control policies to prevent misuse of private data. But the same challenge exists with virtual machines.
The point I mean to make is that, when it comes to compliance, Docker containers don’t really present any fundamentally new challenges or require an overhaul of existing compliance strategies. Is Dockerized infrastructure complicated? Of course. But so is virtualized infrastructure. It is perfectly possible to keep Docker clusters compliant by extending the same strategies that organizations already use to secure and audit virtual machines.
Can Docker Simplify Compliance?
It’s worth noting that in some ways, Docker can actually make compliance easier. As Enrico Ermanno Dall’Ara writes on PCI Insider, one advantage of Docker is that it makes it very easy to package an app inside a container, then deploy that app on a managed hosting platform that is designed for PCI DSS compliance. Then, voilà! You have a PCI-compliant production environment.
Doing the same thing with virtual machines would be more complicated. You’d have to worry about making the entire virtual machine image, including the OS environment, compliant, instead of just making the app itself compliant.
To put this another way, Docker can be advantageous when it comes to compliance needs because Docker minimizes infrastructure overhead. The less infrastructure you have to worry about, the easier it is to assure security and compliance.
So, if compliance issues are holding you back from embracing Docker containers, it’s time to rethink your strategy.
