Is Docker’s built-in Security ‘Good’ Enough?
When deploying Docker containers into production here’s a frequently asked question:
“Are the built-in security controls of Docker ‘good enough’ for my service?”
There’s been quite a few posts recently assessing the security requirements for container deployments and taking a stand one way or another. A blog post on Docker’s blog asserts that “Your Software is Safer in Docker Containers.” And in a recently published paper, the Gartner group says:
“Containers managed by Docker are effective in resource isolation.”
However, VMware has taken a position that containers are safer when they’re running on a virtual machine.
Of course, the real answer is that ‘it depends.’ It depends on the requirements of your service and the risk you’re willing to take if it’s compromised. While simple isolation and built-in security features may be adequate for most applications, it may not be appropriate for business critical services. Does your business rely on these containers for critical processes? Are these services publicly accessible? Will an attacker be able to get to sensitive privacy or account data?
Container deployments are in the early phases for most companies, and the attack vectors and threat surfaces are not fully known at this time. But just like what we went through with virtualization, and datacenter servers before that, real-time protection for running containers is going to be needed as the last line of defense against hackers who can, and will, get through traditional controls.
There aren’t many companies focusing on this aspect of container security yet. NeuVector is one of those which offers run-time application centric protection for containers. This is especially timely given that the promised benefits of containers include rapid deployment and scale, and these can’t be reduced by cumbersome traditional security tools. NeuVector’s solution is now available to try for a limited number of partners and deploys in minutes just like any other containers.