By John Katsaros
December 4, 2015
At the recent DockerCon Europe conference, Docker Inc. announced a “comprehensive security offering that includes … hardware signing of container images, content auditing through image scanning, and vulnerability detection and granular access control policies with user namespaces.”
Certainly in the long run this will be an important feature set for enterprises; what’s not clear is the timing. The functionality announced is interesting and important but unlikely to impact “average” Docker enterprise users for many years. Meanwhile, there are security features that are necessary and convenient for most enterprise users in the next few years.
1. Many enterprise users will want a minimal security offering
Just assembling several simple minimum security systems is needed. The immediate issues that enterprise customers care about should be profiled into three or four scenarios and addressed common issues: SSL, isolation, DDS, etc.
Right now Docker’s security strategy may actually delay enterprise adoption. The security offerings cited in the press announcement seem to be very elegant, but not exceptionally enterprise-ready for a long time. A battle is going on between development teams and operations. If the security team gets involved, adoption will slow down.
2. Enterprises struggle with making security decisions.
Technical teams at enterprises are negotiating “ownership” of the container platform, and the security team gets involved. Even in the best of circumstances, an enterprise dealing with security takes forever to change its security strategy. These decisions get made on a yearly or bi-yearly basis. Enterprise IT organizations don’t like spending money on security – it doesn’t translate directly to either lower costs or higher revenues. Docker’s strategy should be “fit in” to what enterprises currently use and “stand out” by keeping things simple (SSL for example).
3. It will take a year (or more) before the first production deployment.
Several pieces described by Docker’s press release are not yet available–more likely a year or two before these features will be ready for prime time.
4. Why focus on vulnerability protection?
Vulnerability detection systems are in place at most enterprises – so this is probably more of an issue of adding containers to existing systems. On the other hand anomaly detection might be a useful feature – when a container is doing something strange, identifying an anomaly and resetting the container automatically may be extremely useful.
5. What is the threat?
Which security problem is Docker trying to address? What do customers want? What is being protected? What about internal threats (these are the ones that make headlines)? Understanding the security threats to containers is key to focusing on the security solutions.