How to Secure Containers Is Still Subject to Debate
NEWS ANALYSIS: Experts agree that security is paramount when it comes to containers. Yet how to properly secure containers is still a matter of some debate.In the world of virtualized application containers, security is top-of-mind. At both the DockerCon EU event last month in Barcelona, Spain, as well as the Tectonic Summit last week in New York City, the big news was all security-related. While there is no shortage of container security news, there is still some debate about how to properly secure containers. Docker Inc., the lead commercial sponsor behind the open-source Docker project, announced multiple security efforts at DockerCon EU, including project Nautilus for Docker application image scanning. Not be outdone, CoreOS, one of Docker Inc.'s primary rivals in the container market, announced Distributed Trusted Computing at its Tectonic Summit event. In some respects, the technologies announced by CoreOS and Docker Inc. for container security are similar, though they take different approaches. While Docker Inc. announced project Nautilus for scanning application images, CoreOS has its Clair project that scans container images for known vulnerabilities. When it comes to hardware encryption, CoreOS is using Trusted Computing concepts, including the use of Trusted Platform Module (TPM) hardware, in order to create and enable a chain of trust for container applications running on hardware that can be audited and verified. Docker is also using hardware for security but in a different way. At DockerCon EU, the company gave away Yubico USB keys that can be used to sign private encryption keys for application images.
There is also some debate about how containers should be run on a system. I moderated a panel at the Tectonic Summit that included Matthew Garrett, principal security software engineer at CoreOS; Tim Hobbs, advisor, product management at CA Technologies; and Frank Macreery co-founder and CTO, Aptible.
One of the key questions I asked the panel was whether it was a best practice to run a container inside a hypervisor. The consensus from the panel was that, today, in order to get the best isolation and security control, the use of a hypervisor is a good best practice. It's a model that CoreOS embraces as well with its rocket (rkt) container engine that integrates with Intel's Clear Containers technology. Clear Containers is a virtualization hypervisor that has been purpose-built for running containers.