It’s a time-honored story arc at this point; an emerging technology gains rabid affection among practitioners eager to embrace its inherent benefits, then related security concerns begin to cloud the horizon, threatening to dampen enthusiasm.
However, if history has proven anything as it relates to this narrative, the folks at Docker, the undisputed darling of the ongoing applications container revolution, don’t likely need worry that security fears will soon impact ongoing adoption.
For starters, there’s the reality that unaddressed security issues never served to markedly slow the uptake of other paradigm-shifting innovations, including mobility, virtualization and the cloud. There’s also the fact that Docker is attempting to stay ahead of the curve and calm existing security apprehensions before the outcry gets any louder.
In mid-August, Docker officials took the stage at the Containercon conference in Seattle to promote Docker Content Trust, the first major salvo issued by the open source project in addressing evolving container security practices. Delivered as an element of the Docker 1.8 release, Docker Content Trust employs cryptographic means to help ensure the legitimacy of the code and software versions that developers end up running within their infrastructures.
At its core, the approach is designed to shield Docker users from being affected by shared application images which could harbor malicious backdoors, or other potential security risks. In addition to application image authentication, Docker Content Trust also promises to verify application “freshness” to help prevent potential fraud or malware code injection, said Diogo Mónica, security lead for the Docker project.
“We’ve reached amazing velocity with developers, but that doesn’t necessarily translate over to the people in operations, who are asking some of the hard questions,” Mónica said. “With Content Trust, we’ve established strong security standards while finding the right balance so that developers won’t have to think as much about security, and operations will be onboard; we feel that by going beyond the status quo, we’ve actually made Docker security an asset.”
Mónica maintains that Docker’s digital signature mechanism will prevent potential man-in-the-middle attacks that seek to leverage maliciously signed or modified container images. As an example, the expert ran a live demo on stage at Containercon in which he illustrated how Content Trust could be used to prevent web apps built using such nefarious images from ultimately being defaced.
On a broader scale, Docker officials contend that security concerns have not thus far affected the current pace of adoption, pointing to widespread use by large organizations including the U.S. General Services Administration as further proof that related objections have not yet created any hurdles.
“We don’t think that [security] is hindering adoption at all, and we already have use cases within organizations that maintain very high security tolerances,” said Mónica. “In fact, one of the reasons why customers are using Docker is they want something more secure than what’s out there; we feel that we’ve already built a consensus as the securest manner to deploy applications.”
Industry experts remain at odds over whether or not Docker’s security claims ring true, with some observers in agreement that practitioners continue to forge ahead unabated and others seeing mature security organizations cautious in approaching the technology. Either way, industry analysts are certain that as Docker gains even more widespread engagement, taking a more aggressive approach to security will become a necessity for both the project and developers that seek to employ it.
“Docker is thrilling for DevOps teams, but there are still a lot of product issues to be solved, and security is at the top of the list,” said Dave Bartoletti, analyst at Forrester Research. “Aside from some best practices there hasn’t been a lot until now, and there really does need to be a more solid security approach before you put all this into production in your datacenter.”
Bartoletti compares the situation most closely to adoption of virtualization, where considerations such as compliance with the PCI Data Security Standard were often conveniently overlooked by practitioners before specific requirements were eventually established. The expert thinks that basic security concerns related to Docker will linger on for at least a few more years, though not greatly slow uptake. At the same time, the analyst observed that it makes a lot of sense for Docker to help developers bake-in security via API using Content Trust, just as they have for integration of other core capabilities such as applications performance monitoring.
“With virtualization, people deployed anyway, even when security and compliance hadn’t caught up yet, and I think we’ll see a lot of the same with Docker,” he said.
Other experts remain skeptical that enterprises in particular will embrace Docker until a lot more security questions have been answered.
“The reality is that security is still a barrier today, and some companies won’t go near [Docker] until there are certain standards in place,” said Adrian Sanabria, analyst with 451 Research. “In particular, companies with mature security practices will wait for standardization to be there, and for certain entities to recognize it as an established platform. We’re also seeing the first wave of companies that will seek to do that work for them.”
As with the case of today’s robust mobile, virtual and cloud security landscapes, these startups are cropping up both to address existing issues and with the hopes of cashing in on future adoption of Docker and containerized applications, on a far more prolific level, Sanabria said. Among the providers already seeking to do so are names including Twistlock, Scalock and StackRoxs.
In most cases, the third party providers currently seek to address some of the same issues of image verification that Docker has moved to tackle with the release of Content Trust. However, as use cases for Docker continue to diverge, the analyst said that demand for additional security expertise will also become more diverse.
“One of the things that we’ve observed is that we will see niche specialized forks of Docker itself, and as a result we’ll see specific security capabilities to address those specialized versions,” said Sanabria. “Docker still appeals very much to the do-it-yourself crowd, and that’s why it’s still mostly about pockets of developers and not enterprise customers. Over time we’ll see greater need for versions that cater more to the enterprise, including these security provisions.”
Of course, for those security startups seeking to attach themselves to the Docker revolution, the message remains a careful balancing act that measures any sense of related concern with a general optimism for the future of containerism.
“It’s not that Docker or containers in general are inherently insecure, but like any new technology, there are new risks and threats to protect against,” said John Morello, chief technology officer at Twistlock. “Today, the most visible risk is software vulnerabilities within containers. Containers make it really easy for developers to package up apps and ship them quickly to production. However, containers don’t automatically keep themselves up to date, so it’s really easy to end up with lots of software vulnerabilities hiding within them.”