October 21, 2017

As Docker has grown in popularity, so has the number of container security platforms available to help harden Docker environments against attack. Here’s an overview of the container security landscape today and how it is likely to evolve in the future.

Container security tools and platforms fall into two main categories:

  • Open-source tools, most of which were developed as parts of larger container projects such as Docker and CoreOS.
  • Commercial security platforms from new companies that focus exclusively on the container security space.

Let’s take a look at how each of these categories breaks down.

Open-Source Container Security Tools

In Docker’s early years, security add-ons were not a priority for Docker developers. They were more focused on building the core Docker container platform.

That changed in the first half of 2016, when two major open-source security tools for Docker appeared. One was Clair, an image scanning tool developed by CoreOS. The other was Docker Security Scanning, a similar tool developed by Docker.

Both of these tools help to secure one particular layer of a containerized software stack: the image registry. They are integrated into the hosted registry services offered by CoreOS (Quay) and Docker (Docker Hub). They can be used offline as well.

Open-source security tools for other parts of the container stack remain more elusive.

Commercial Container Security Vendors

The list of startups that specialize in end-to-end container security solutions is now relatively long. These vendors aim to fill in the security gaps in a container stack built using open-source tools.

Vendors in this category include:

Most of these vendors offer platforms that combine analytics-based anomaly detection with container image management, access control and container runtime hardening.

The Future of Container Security

While the number of vendors in the container security market is now sizeable, this is still a very young ecosystem. Going forward, the market is likely to see the following:

  • The entry of more established security companies into the container security world. To date, almost all of the vendors in this space are startups that focus exclusively on container security. Traditional security vendors have not yet shown much interest in supporting containers. That is likely to change as the importance of the market grows and more established vendors either extend their functionality to support containers or acquire the startups that already have this technology.
  • Support for securing containers other than Docker. So far, the container security world has focused on Docker stacks. Other types of container technologies have received less attention. That makes sense, because Docker dominates the market currently. But as other types of container platforms—system containers, unikernels and more—grow in popularity, a market will develop for security tools that harden them.
  • Security solutions for Docker on Windows. If Docker is going to become a true production-ready technology on Windows, users will need a way to secure it. The existing Docker security solutions focus mostly on components that would exist only in a Linux-based Docker environment.
Christopher Tozzi

Christopher Tozzi has covered technology and business news for nearly a decade, specializing in open source, containers, big data, networking and security. He is currently Senior Editor and DevOps Analyst with Fixate.io and Sweetcode.io.

  • John Kinsella

    Christopher, the research on this piece could be stronger.

    First, Docker Security Scanner is not open source. In their FAQ (https://docs.docker.com/docker-cloud/builds/image-scan/#frequently-asked-questions) they admit intention to charge for the service, at some point.

    For those interested in open source solutions, there’s a more complete (but still not perfect) list in the security section of the Awesome Docker Github page (https://github.com/veggiemonk/awesome-docker#security).

    Lastly, on the commercial side, you’re missing both my startup, Layered Insight, and StackRox. We’ve been covered by Gartner/451/Forrester for a while, and with Stackrox’ big PR push over the last week, so I don’t see how either was missed.

    Always happy to chat about container security. Feel free to reach out.

    • Christopher Tozzi

      Thanks, John. Unfortunately I wrote this before the StackRox announcement last week and it was slow to get to press. I was not familiar with your startup. We’ll be sure to follow Layered Insight going forward along with other container security vendors.