Docker Tightens Security Over Container Vulnerabilities - InformationWeek
IoT
IoT
Cloud // Platform as a Service
News
11/17/2015
11:06 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%
RELATED EVENTS
4 Keys to Improving Security Threat Detection
Dec 15, 2016
In this webinar, Ixia will show how to combine the four keys to improving security threat detectio ...Read More>>

Docker Tightens Security Over Container Vulnerabilities

Docker unveils three ways to make containers more secure, especially when code is changed during its update cycle.

Cloud Vs. On-Premises: 6 Benefits Of Keeping Data Private
Cloud Vs. On-Premises: 6 Benefits Of Keeping Data Private
(Click image for larger view and slideshow.)

Docker has added a hardware signing feature, YubiKey, a USB device, for developers of container images and updates to ensure that the code they file to a repository arrives untampered with and intact.

It was one of three major container security improvements added to the Docker Platform announced November 16 and 17 at DockerCon Europe in Barcelona.

Docker has already implemented The Update Framework (TUF), a method of confirming that a digital signature applied to a container image in a repository matches the signature on the code arriving at an enterprise's Docker system. TUF is tougher than mere public key encryption because it can restore the security system's integrity, even if the signature-assigning server is compromised. Docker calls its system Docker Content Trust.

At Barcelona's DockerCon, Docker announced a new layer in the code- and identity-confirming process. Developers and system administrators can use a keychain fob or YubiKey 4, plugged into the USB port of their laptop or workstation, to upload their unique identifier to the container. As the code moves along its journey to a production system, that identifier continually ensures the recipient that only the intended hands have touched the code.

Yubico's YubiKey 4 is the current state of the art.

Its two-factor authentication requires the device to recognize the user's fingerprint before it will issue the user identification to a containerized application, said Scott Johnston, senior vice president of product at Docker. Even if a developer's Yubikey were lost or stolen, it would be worthless without the correct fingerprint.

(Image: Wavebreak/iStockphoto)

(Image: Wavebreak/iStockphoto)

Two-factor authentication makes it extremely difficult for someone to abduct code in transit or spoof it to deliver malware to the intended recipient, Johnston said.

In another move, Docker has added image scanning to the Docker Hub.

As users assemble container workloads using source code from publicly available repositories such as Ubuntu's, Docker image scanning checks it for correct release number and vulnerabilities. If the code is a release with known vulnerabilities, the downloader and the supplier are notified, with the latter expected to fix it.

With image scanning, "IT organizations can rely on Official Repos (like the Ubuntu repository) as a curated source for secure, high integrity content," Johnston said.

Previously a system admin would have to know what information on vulnerabilities had been published by each Linux distributor and other sources of online code. With Docker Hub providing scans, independent software vendors can now deliver what recipients will regard as secure content because the code origins have been confirmed. The Docker Hub downloads approximately 4,000 containers a minute.

[Want to learn more about Docker's previous moves to shore up container security? See Docker to Defang Root Privilege Access.]

In a third security improvement, Docker's latest 1.9 Experimental release (the early preview version) enables operations managers to assign privileges by user group for each container. For the first time, the containers have been separated from root access on the host. Only the Docker daemon has root access, and that access to the Docker daemon can be restricted to a defined set of system administrators.

In the past, each container had root access to the host, meaning it could access all the host's resources if its code instructed it to do so. By using Linux namespaces to separate the container from the Docker daemon, this old vulnerability in container operations is walled off from further mischief.

In addition, IT operations can establish granular access-control rights, giving explicit permission to certain departments or teams to use certain Dockerized services. This new control prevents one organization from inadvertently being given control over another organization's application services, Johnston said.

**New deadline of Dec. 18, 2015** Be a part of the prestigious InformationWeek Elite 100! Time is running out to submit your company's a pplication by Dec. 18, 2015. Go to our 2016 registration page: InformationWeek's Elite 100 list for 2016.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
11/17/2015 | 1:02:28 PM
Code in motion, accompanied by good scurity
Software security is not just the protection of running systems from intrusions. It's also the protection of code on its journey to becoming a production system. Nowadays, that can be a journey of many miles across continents instead of just across the data center. And Docker is showing it understands how to radically improve protection of code in motion.

 
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll