Docker Takes on Secrets Management
The current general perception is that containers are less secure than legacy approaches to developing and deploying applications. Docker Inc. revealed it plans to make it obvious to all that containers are a better way to secure applications.
Docker Inc. has announced that Docker Datacenter now includes a secrets management capability designed to allow developers to safely store keys and passwords in a separate container-native repository.
Nathan McCauley, security director at Docker Inc., says that repository not only better protects various keys and credentials used to access applications, but also encrypts that information at rest and in transit.
Specifically, he says, Docker Datacenter makes use of an encrypted distributed datastore as a default component of its orchestration software. Via that approach, secrets are encrypted in the cluster managers. When containers are provisioned, they are made available over an encrypted transport layer security (TLS) connection. Only an authorized application running in the container can gain access to those secrets because they are never saved to the nodes in the cluster.
In contrast, legacy approaches to managing secrets associated with container applications typically involve storing passwords within the application, for example, or bolting on a separate system that is not designed to support microservices based on containers. Rival approaches to secure secrets using Kubernetes, for example, fail to sufficiently isolate those secrets from all the applications sharing the cluster, which in turn creates compliance issues for IT organizations, he says.
Portability is one of the primary reasons IT organizations embrace containers, McCauley notes, and Docker Datacenter’s approach to managing secrets makes it easier for IT organizations to manage access to applications regardless of where they happen to be running.
In addition, this approach to managing secrets makes it easier for both developers and IT operations team to work together in terms of determining who should have access to what elements of an application at any given time, he says.
McCauley notes the inability to secure passwords and keys has been holding the roll out of many container applications in production environments. Now that that Docker is providing a means for managing those secrets securely, Docker Inc. expects the number of container applications being deployed in production environments will accelerate considerably in the months ahead.
In fact, rather than security being a reason not to employ containers McCauley says Docker Inc. expects the methods it is applying to manage secrets will help organizations realize that containers are a more secure way to deploy application code.
Of course, improved secrets management for applications doesn’t resolve every potential container security issue. But it does go a long way in making developers and IT organizations more comfortable with adopting containers, especially at a time when many of them are castigated regularly about deploying insecure applications.
Many IT organizations now need to determine whether developers should be held accountable for security instead of continuing to rely on IT security specialists, who usually get involved after it’s too late to do anything other than remediate a problem.
