November 21, 2015
This marks a big step forward for Docker, a platform for application containerization software, and the container hosting providers. With the Docker’s launch of a number of security features at the DockerCon EU, container web hosts are now in a better position to provide security optimized services.
The new security enhancements incorporates the hardware signing and image scanning, as well as better access control and isolation.
Container Image Authentication and Content Auditing. This additional security measures comprise of hardware signing and image scanning to verify the content publisher, protect the chain of trust, as well as verifying the content itself. According to David Messina, VP of Docker Enterprise Marketing, it remains a core issue to establish the source of the content, the creator of the content, and ensuring chain of trust within the containerized content.
Container image authentication develops on Docker Content Trust that influences Notary and The Update Framework (TUF) to carry out image publisher verification, as well as authenticating the content. This feature utilizes touch-to-sign YubiKey technology from Yubico, enabling digital code signing for the first hardware development, as well as in the later validations.
In addition, Docker is providing safe service for its Official Repos from private software vendors, with granular image auditing. This enables presentation of the results to ISVs, and then shares the output with its customers, hence, users can choose what content to use according to their security plans. In case of any suspicious threat, it is the work of ISV to fix the weaknesses, as well as upgrade their content’s security.
Through hardware signing and container image scanning, trust and reliability of content application can be addressed easily. This also simplifies the work of the web hosting companies by ensuring they are hosting genuine images. According to Messina, this concept is quite reliable because it gives information about the content of a given container.
Improved Granular Access Control Plans. During the launch, Messina described user namespaces as the highly requested features that provide IT operations capabilities for better solutions, but the containers themselves are not a ‘must’ requirement by the host root. Therefore, hosts can be restricted to a certain level of accessibility, in order to prevent one company from controlling application services of another.
Messina added that user namespaces differentiates and controls operations of a hosting company, and gives it the abilities of assigning a given user or multi-tenant customer a particular set of advantages. However, the operator remains to have full privileges that are related to Docker daemon. However, the bottom line fact is to create a secure way for all container and Docker hosting providers.
About Docker. Docker is an open space that allows users to package an application with its dependencies in a file-system needed to run in any software. The use of applications inside the Docker containers is automated such that any piece of software will run uniformly throughout, despite the kind of environment it’s running in. Docker is different from virtual machines because the containers have the application itself together with its dependencies. Docker containers are capable of running on all kinds of computers, infrastructure, and clouds.