How Docker Changes Cloud Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Cloud // Infrastructure as a Service
Commentary
10/21/2014
09:18 AM
Lucas Carlson
Lucas Carlson
Commentary
100%
0%

How Docker Changes Cloud Security

Docker's shared Linux kernel architecture isn't secure enough for multitenancy applications. This popular new container technology is, however, a great choice for banking, retail, and online apps.

People have been skeptical about the security of cloud technologies since the beginning of cloud computing. The idea of multitenancy -- that you could be on the same physical hardware as a stranger, even with the promise of virtual machine separation -- has always had an overtone of security disaster.

Time has shown that virtual machines do offer a strong layer of isolation, and more companies are adopting them every day. Docker containers are like micro virtual machines. For example, if a server could host 10 virtual machines, the equivalent server could host 100 or even 1,000 Docker containers.

The bad news is that out-of-the-box Docker is less secure than virtual machines and most cloud technologies. Because Docker containers share a Linux kernel, there's more risk that a kernel exploit could lead to privilege escalations. In layman's terms, multitenancy with Docker is a bad idea because there isn't enough inherent separation between containers to totally ensure that one customer can never access another customer's container.

[Having trouble identifying cloud benefits? Read Cloud ROI: 6 Takeaways To Consider.]

There are ways to mitigate this risk. For example, using Security-Enhanced Linux (or SELinux, originally developed by the NSA) makes it so that even if the Linux kernel is compromised, there's limited ability to do anything outside the container. But perfecting that setup can be challenging.

Reduced attack surfaces
The good news is that Docker's architecture of a shared Linux kernel actually enables you to dramatically reduce the attack vector surface area for Linux application development. If you're building technology that doesn't require multitenancy (like software for banks, retailers, and online businesses), you can actually improve your security by adopting Docker.

How? If you start with a minimalist Linux operating system built for Docker, like the open source CoreOS, you reduce the potential attack vectors on your host machine. CoreOS strips out most of the features and functionality from Linux, including package managers like apt-get and yum. It's difficult to install external code on CoreOS without using Docker. If you want to install Apache, for example, you must do it by pulling in a Docker container with Apache inside of it.

This requirement reduces one set of attack surface areas, because the accidental running of insecure code on the Docker host becomes much more difficult. But when you combine CoreOS with a special Docker feature called "scratch image," the security benefits become even clearer.

Scratch image is the most minimalistic Docker container. What exactly is in it? Absolutely nothing. It's built from an empty tar file. Not only is there no Apache, but no binaries are built in at all. This concept of no-binary disk images wouldn't be possible with virtual machines because virtual machines don't share Linux kernels, which means they need to come with their own binaries in order to function.

There is interesting work being done right now on building single-binary Docker containers using compiled Go binaries. This work dramatically reduces the attack vector surface area inside the Docker container itself. For example, if you're running your application code inside a scratch image, you don't have to worry about the Bash Shellshock bug. That's because you don't have bash in your container in the first place. The only possible OS-level (non-network) attack vector becomes the Linux kernel itself.

Tenets of securing Dockerized apps
When you combine minimal operating systems like CoreOS with SELinux and the scratch image, you remove unnecessary pieces of technology that could be exploited. Unlike with most Linux distributions, which bundle lots of unnecessary tools, with Docker you can create finely tuned, highly efficient clusters of infrastructure with fewer attack vectors.

When you combine that approach with the network-layer security features that Docker Inc. is planning for the coming year, the security value proposition for Dockerized application deployments becomes that much better.

Of course, this approach doesn't help much if the applications you build within Docker have vulnerabilities, but sometimes the unknowns are the things that haunt us the most. How many more Heartbleeds and Shellshocks are sitting in /usr/bin completely undiscovered?

Who wins in cloud price wars? Short answer: not IT. Enterprises don't want bare-bones IaaS for the same reasons they don't buy many $299 PCs at Wal-Mart. Providers must focus on support, not undercutting rivals. Get the Who Wins In Cloud Price Wars? issue of InformationWeek Tech Digest today. (Free registration required.)

Lucas Carlson is the Chief Innovation Officer of CenturyLink, a global cloud, hosting, network, and telecommunications provider. He publishes weekly Docker advice, tutorials, and open-source software such as Panamax (Docker Management for Humans) on the CenturyLink Labs Blog. View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
10/22/2014 | 4:12:38 PM
Good comments, not the last word
This is a good discusson of container security by CenturyLink's Lucas Carlson, and not the last word in terms of what will happen in making containers more secure. This will prove to be a rapidly evolving field, given the advantages in running Linux containers.
Commentary
Enterprise Guide to Edge Computing
Cathleen Gagne, Managing Editor, InformationWeek,  10/15/2019
News
Rethinking IT: Tech Investments that Drive Business Growth
Jessica Davis, Senior Editor, Enterprise Apps,  10/3/2019
Slideshows
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll