The State of Container Security

To deploy containers in production today, you need to secure them. A growing list of companies want to help you do that. Here’s an overview of the major commercial offerings that cater to securing Docker, Kubernetes and other things container-related.

The Evolution of Docker Container Security

In Docker’s early days, container security meant hardening the Docker host system as much as possible, perhaps setting some container quota limits and hoping for the best.

Those days are gone. Modern container security entails a broad set of strategies and processes that address potential security gaps at various layers of your containerized environment, including:

  • Identity management and access control.
  • Network security.
  • Data security.
  • Host server security.
  • Container runtime security.
  • Container image and registry security.

Trying to secure all of these layers manually would not be practical. That’s why several vendors now offer platforms designed to help you keep your entire containerized application stack secure.

Commercial Tools

Here’s a roundup of some of the major vendors vying for a slice of the commercial container security space today.

Twistlock. Founded in 2015, specialized in security for Docker containers from the start, with an emphasis on cloud-based deployments (although Twistlock also works with on-premises environments). Twistlock pitches its platform as a holistic container security solution that secures images, runtimes and environment configurations, using scanning and AI-based assessment. Over the past couple of years, the company has expanded its focus to include serverless security, too.

Aqua Security. Aqua Security (or Aqua Sec for short), which was also founded in 2015, is very comparable to Twistlock in terms of features and focus. Its container scanner works a bit differently (for a good comparison of that feature, see this post), and some might contend that Aqua is easier to integrate into a CI/CD pipeline.

Sysdig. Sysdig, which dates to 2013, promotes itself as an overall cloud security company. Containers are one of its areas of focus, but Sysdig’s purview has historically been somewhat broader than that of companies such as Twistlock and Aqua. That said, Sysdig now emphasizes containers heavily, and pitches its platform as the best tool for building a “unified” security strategy that secures containerized and non-containerized workloads.

NeuVector. Founded in the same year as Twistlock and Aqua, NeuVector’s platform secures most parts of a containerized application. However, the company currently focuses on network security, presumably in a bid to differentiate itself from other commercial container vendors.

Alcide. Alcide is a newcomer to the world of container security, relatively speaking. It was founded in 2016. It’s comparable to Sysdig in that it markets its platform as a unified security solution for all types of cloud-based workloads, including but not limited to containers.

Conclusion

If you’re thinking that there is not a huge difference in features or technical functionality between the platforms described above, it’s because there’s really not. They all provide the same core features for assessing the security of container images and environments. They differ in their specific implementations of those features. One platform might discover vulnerabilities in a container image or configuration that another misses, for example.

But they do differ in their areas of focus and specialty. To a degree, this is a matter of marketing; NeuVector’s decision to promote itself as a container and Kubernetes networking security provider is probably partially an effort to set itself apart in a crowded market. Nonetheless, the security niches that each vendor has chosen to focus on also provide clues on how their platforms will evolve in the future. If today most commercial container security platforms are more or less the same feature-wise, the same might not hold true tomorrow as vendors develop stronger specialties oriented around particular features.

Christopher Tozzi

Christopher Tozzi

Christopher Tozzi has covered technology and business news for nearly a decade, specializing in open source, containers, big data, networking and security. He is currently Senior Editor and DevOps Analyst with Fixate.io and Sweetcode.io.

Christopher Tozzi has 242 posts and counting. See all posts by Christopher Tozzi