Most blog posts about Docker security focus on how to make containers more secure. But it’s also worth appreciating the inherent security benefits that come with containers. Keep reading for insights on how using containers can make your software more secure by default.
To be sure, there are steps you can and should take to further harden your Docker containers. You should make sure your registry is secure. You also should remove non-essential components from images to minimize your attack service and secure the container runtime.
Security Benefits of Docker
But even in a default deployment, there are built-in security advantages of Docker (and containers in general). They include:
- Transparency. It’s easy to look inside a container image, or the Dockerfile on which it is based, to understand what runs inside the container. Inspecting virtual machine images is more difficult. It also helps that most of the code you run with Docker is open source, which arguably is better from a security perspective because anyone can inspect it to find security problems.
- Modularity. If you use containers to host a microservices application, you can link security problems to specific microservices. This makes it easier to find and resolve vulnerabilities without disrupting the entire application.
- Smaller attack surfaces. If you host applications on a virtual server, you have to secure the bare-metal host server, the virtual server and the application itself. With containers, you only need to secure the host, the Docker daemon (which is much smaller than a virtual operating system) and the application running inside the container. For this reason, containers give you a smaller attack surface to protect.
- Easy updates. With Docker containers, it’s easy to make sure your application is up to date by pulling the latest images from whichever registry you use. It’s also easy to apply patches quickly in response to security vulnerabilities by pushing updates out through the registry. The ability to update an application quickly, with minimal disruption to end users, is critical for addressing security vulnerabilities efficiently.
- Environment parity. Containers’ ability to provide environment parity—meaning a consistent type of application environment no matter which type of operating system the application is hosted on, or whether it is running in testing or in production—is a key selling point of Docker. Environment parity is valuable because it helps ensure that a containerized application that is deemed secure before production will remain secure in production because the environment variables do not change.
Again, the fact that containers provide inherent security benefits shouldn’t be taken as license to avoid taking the extra steps that can harden a Docker environment further. As with almost any type of technology, no matter how secure Docker is out of the box, there are things you can do to protect it even more.
Still, it’s worth noting how containers provide security benefits that other types of infrastructure platforms do not. Security is an important selling point for Docker.