Docker Tightens Security Over Container Vulnerabilities
Docker unveils three ways to make containers more secure, especially when code is changed during its update cycle.
Cloud Vs. On-Premises: 6 Benefits Of Keeping Data Private
(Click image for larger view and slideshow.)
Docker has added a hardware signing feature, YubiKey, a USB device, for developers of container images and updates to ensure that the code they file to a repository arrives untampered with and intact.
It was one of three major container security improvements added to the Docker Platform announced November 16 and 17 at DockerCon Europe in Barcelona.
Docker has already implemented The Update Framework (TUF), a method of confirming that a digital signature applied to a container image in a repository matches the signature on the code arriving at an enterprise's Docker system. TUF is tougher than mere public key encryption because it can restore the security system's integrity, even if the signature-assigning server is compromised. Docker calls its system Docker Content Trust.
At Barcelona's DockerCon, Docker announced a new layer in the code- and identity-confirming process. Developers and system administrators can use a keychain fob or YubiKey 4, plugged into the USB port of their laptop or workstation, to upload their unique identifier to the container. As the code moves along its journey to a production system, that identifier continually ensures the recipient that only the intended hands have touched the code.
Yubico's YubiKey 4 is the current state of the art.
Its two-factor authentication requires the device to recognize the user's fingerprint before it will issue the user identification to a containerized application, said Scott Johnston, senior vice president of product at Docker. Even if a developer's Yubikey were lost or stolen, it would be worthless without the correct fingerprint.
Two-factor authentication makes it extremely difficult for someone to abduct code in transit or spoof it to deliver malware to the intended recipient, Johnston said.
In another move, Docker has added image scanning to the Docker Hub.
As users assemble container workloads using source code from publicly available repositories such as Ubuntu's, Docker image scanning checks it for correct release number and vulnerabilities. If the code is a release with known vulnerabilities, the downloader and the supplier are notified, with the latter expected to fix it.
With image scanning, "IT organizations can rely on Official Repos (like the Ubuntu repository) as a curated source for secure, high integrity content," Johnston said.
Previously a system admin would have to know what information on vulnerabilities had been published by each Linux distributor and other sources of online code. With Docker Hub providing scans, independent software vendors can now deliver what recipients will regard as secure content because the code origins have been confirmed. The Docker Hub downloads approximately 4,000 containers a minute.
In a third security improvement, Docker's latest 1.9 Experimental release (the early preview version) enables operations managers to assign privileges by user group for each container. For the first time, the containers have been separated from root access on the host. Only the Docker daemon has root access, and that access to the Docker daemon can be restricted to a defined set of system administrators.
In the past, each container had root access to the host, meaning it could access all the host's resources if its code instructed it to do so. By using Linux namespaces to separate the container from the Docker daemon, this old vulnerability in container operations is walled off from further mischief.
In addition, IT operations can establish granular access-control rights, giving explicit permission to certain departments or teams to use certain Dockerized services. This new control prevents one organization from inadvertently being given control over another organization's application services, Johnston said.
**New deadline of Dec. 18, 2015** Be a part of the prestigious InformationWeek Elite 100! Time is running out to submit your company's a pplication by Dec. 18, 2015. Go to our 2016 registration page:InformationWeek's Elite 100 list for 2016.
Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.