Since the introduction of Docker, the standardized platform for containers, DevOps has been pursuing the benefits of containers: speed, agility, and portability. The promise of containers is what businesses were leveraging to accelerate their transformation into digital businesses. Or so we thought… Although Docker’s adoption has increased from 35% to 49% in 2017, only 20% of companies have deployed their containers in production. Why?
Depending on which report you read, either management or security top the list of challenges for containers. With Kubernetes winning the majority of the container orchestration market, there appears to be a clear path to addressing the management challenges. However, security (and an often distant governance) concerns are still slowing down container adoption in production. What’s the best path forward to address these concerns?
As we all know by now, there are three primary approaches to securing containers:
- Kernel Plugins – Kernel modules that monitor the container processes. This approach requires root access to the underlying host.
- Privileged Containers – Containers running with privileged commands that monitor all of the other containers on the host. This approach also requires root-level privileges to the underlying host.
- Container Native – Security embedded within each container to monitor and protect the container. This approach does not require root access/privileges, as it runs within the container.
But which approach actually solves the security challenges without eroding the benefits of containers, specifically speed, agility, and portability? Can one of these approaches actually resolve the security challenges once and for all?
Embedding Security Within The Container Runtime
The ultimate solution is embedding security within the container runtime. By making security part of the container runtime, organizations can accelerate the deployment of containers in production by removing the friction of security. Also, this doesn’t mean that the container engine also has to be the security engine. By monitoring application, system, network, and file activity from within the running container, Docker can make this data available to it’s partner ecosystem to build premium security solutions independently of the infrastructure. This approach provides the best of both worlds:
- Docker provides a complete platform for containers, including security monitoring and protection
- Security partners leverage Docker to build fully integrated security solutions, including containers
Extending Docker Enterprise Edition
Using the industry’s first embedded security approach, Layered Insight is in a unique position to extend the capabilities of Docker Enterprise Edition. Layered Insight’s solutions map natively into Docker’s platform:
- Governance – Layered Compliance validates and enforces policies for the container image.
- Security – Layered Assessment identifies vulnerabilities within the container image, Layered Witness monitors container activity, and Layered Control protects container behavior.
- Automation – Layered Witness automates the monitoring of container activity and Layered Control automates the protection of container behavior.
And provides integration with the rest of Docker’s partner ecosystem, including CI/CD and Security partners.
The Benefits of Layered Insight and Docker
Although each solution provides it’s own unique benefits, this joint solution has it’s added benefits, including:
- Freedom of Choice – Security within the container runtime allows you to choose any infrastructure, application, or language without friction
- Agile Operations – Automated, secure software supply chain to accelerate application delivery
- Integrated Security – Full security visibility and control within the container runtime