Docker – Ready for Prime time or not?

Docker – ready for prime time or not? It’s a question that has been asked (and answered) hundreds if not thousands of times already. So – rather than repeat that long and somewhat tired conversation I want to focus on one piece of the debate – Security.

There’s three issues that I see with Docker and Security

  1. Because Docker is opensource it has been widely adopted and is almost certainly already deployed, whether you like it or not, inside your organization. This makes for all sorts of security nightmares that the CISO’s and their teams are unable to control. What if an employee introduces uncontrolled code to a mission critical stack? What does that do for Compliance, internal audit and Corporate governance issues not to mention liability problems.
     
  2. Many others have covered the point about large attack surface. Thousands of containers vs hundreds of apps, VMs etc. The larger the attack surface the more vulnerable your organization is to internal and external breaches.
     
  3. The very flexibility that Docker and containerization in general provide gives it a massive security hole. What if a rogue employee or external intruder plants a container that launches and East-West attack? Good luck finding that single container in the thousands you have already deployed.
     

There is plenty of advice out there on how to implement Docker security effectively – this article from Amir Jerbi co-founder and CTO of Aqua Security, is a good basis.

In my discussions with customers about Docker it’s clear that, at the Enterprise level, they are just not comfortable yet in adopting Docker. Typical responses include ‘Maybe next year,’ ‘let’s wait and see’, ‘who else is using Docker across their infrastructure?’ All good points with limited answers. Look at the list of Docker customers at docker.com. Are these all in production? Let’s hope so.

When customers ask me about Docker security I always tell them ‘Be careful, move forward in a considered way and you might just end up where you expect to be. If you let it get out of control you will spend a lot of time and money getting Docker under control.’ Full disclosure – we offer Docker/Containerization as a service from Alauda. We do this because Containerization as a service is intrinsically more secure running on AWS or Azure than letting Docker loose in your Datacenter.

What do you think? Is Docker ready for Prime time?

If you have additional questions, get in touch with us!

3 + 12 =

EXCELERATE SYSTEMS

Headquartered in Redmond, Washington, Excelerate Systems operates in the United States, Canada, Latin America, Europe, Australia and New Zealand.

Corporate Head Quarters

  2205 152nd Avenue NE
Redmond, WA 98052
USA

 +1.(425).605.1289

European Head Office (France)

  Les Bureaux du Lac II Rue Robert Caumont, imm P 33049 Bordeaux         Cedex – France

 +33 (0)5 56.07.23.33

Latin America & The Caribbean

Córdoba No. 42 Int. 807, Col. Roma Norte, Cuauhtémoc, C.P. 06700, Ciudad de México

 +52 (55) 5255-1329

CONTACT INFORMATION

Corporate Head Quarters
  2205 152nd Avenue NE
Redmond, WA 98052
USA

 +1.(425).605.1289

Euope
  Les Bureaux du Lac II Rue Robert Caumont, imm P 33049 Bordeaux         Cedex – France

 +33 (0)5 56.07.23.33

Latin America & The Caribbean

Córdoba No. 42 Int. 807, Col. Roma Norte, Cuauhtémoc, C.P. 06700, Ciudad de México

+52 (55) 5255-1329

Search Guard is a trademark of floragunn GmbH, registered in the U.S. and in other countries. Elasticsearch, Kibana, Logstash, and Beats are trademarks of Elasticsearch BV, registered in the U.S. and in other countries. Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries. Open Distro for Elasticsearch is licensed under Apache 2.0. All other trademark holders rights are reserved.

By continuing to use the site, you agree to the use of cookies. More information ?

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close