(Photo courtesy Wikimedia Commons user Niko67000 / cc4.0)
SAN FRANCISCO – As enterprise companies take up the mantle of “digital transformation,” the modern-day tech marketing moniker for the process of buying the new stuff, security is always a primary concern. It was pretty clear from the first day of Dockercon that the container ecosystem is still focused on reassuring their fears, but it was also clear that progress is being made.
There was a security-related discussion during nearly every time slot allocated to the tech tracks at DockerCon in San Francisco Wednesday, but the nature of those conversations have changed, according to presenters and attendees. The pioneering container company has had to dispel a lot of myths about container security as it has pivoted from a developer tools company to an enterprise vendor, and it’s making progress by reminding companies of a long-held truism of computing security; it’s a process, not an add-on.
“It’s interesting and positive to see how people – and vendors – are thinking about security not just specifically for individual Docker instances, but the much broader and important topic of security for enterprise-scale deployments,” said Fernando Montenegro, a security analyst with 451 Research.
EARLIER: New federated management features could help Docker bolster its pitch as the multicloud container management platform for the modern enterprise
Containers are popular because they give users much more flexibility and control over how they deploy their applications, especially on public clouds. But they changed a lot of assumptions about how security worked across this new architecture, and that gave rise to the false notion that containers are inherently insecure.
Containerized applications are decoupled from hardware, which is often managed by a company like Amazon Web Services. That means security policies designed around self-managed servers no longer applied and poor security practices at the application level were exposed, said Bryan Webster, principal architect for hybrid cloud security at Trend Micro.
Containers can launch and shut themselves down much faster than virtual machines, so monitoring for malware or malicious attackers becomes more complex. Containers can “disappear before I even identify a problem and who has access to (a particular container),” said Hari Srinivasan, director of product management for cloud security company Qualys.
Hari Srinivasan, director of product management for Qualys, talks container security at DockerCon 2018. (GeekWire Photo / Tom Krazit)
But these are security problems related to internal development policies and strategies, …read more