Application containerization software platform Docker launched several security enhancements this week at DockerCon EU that could also help make multi-tenant Docker environments easier for web hosts to manage.
New features include first hardware signing for authenticating container images, content auditing through image scanning and vulnerability detection, and granular access control policies with user namespaces.
Also this week at DockerCon EU, Hewlett Packard Enterprise released a new portfolio of solutions built for Docker.
Hardware Signing and Image Scanning
These new capabilities, in combination with Docker’s existing security options, ensure the publisher of the content is verified, chain of trust is protected and containerized content is verified via image scanning.
Docker enterprise marketing VP David Messina said, “A base thing as you look at hosting applications in the cloud is the content itself – where did it come from? Who is the publisher? Do I have a chain of trust around that content? I need to know that the content that I’m getting from the publisher is actually the content that I receive.”
Container image hardware signing builds on Docker Content Trust, which leverages Notary and The Update Framework (TUF) to verify the image publisher and validate content. Docker Content Trust’s hardware signing feature uses Yubico’s YubiKey technology for touch-to-sign code signing. This enables code to be digitally signed during initial development on particular hardware and be verified through subsequent updates.
Docker is also offering a new secure service for its dozens of Official Repos from Independent Software Vendors to granular auditing of images, presenting the results to ISVs and sharing the final output for Docker users to make decisions on which content to use based on their security policies. If an issue is detected, the ISV can fix any vulnerabilities to upgrade the security profile of their content.
“It’s very powerful concept – the key thing here is determining what’s inside the container,” Messina said. “In multi-tennacy, you want to know all you can know about your containers, and that’s what you’re able to do with these capabilities and that transparency, and doing so with our ISV partners.”
Hardware signing and scanning container images helps address the trust and integrity of application content, essentially making it easier for web hosts to ensure they aren’t hosting compromised images. They also don’t have to rely on the information published by each ISV on the state of their content and have to actively monitor the common vulnerabilities and exposures for each one.
Better Access Control and Isolation
User namespaces, which Messina noted is one of the most requested Docker features, give IT operations the ability to separate container and Docker daemon-level privileges, meaning that the containers themselves don’t have to access the host root. Admins can then lock down hosts to a restricted group of sysadmins, and assign privileges for each container by user group to prevent one organization from having control over another’s application services.
“User namespaces creates a differentiated model for active control where the operations team or hosting provider can assign privileges to effectively a user or a multi-tenant client a certain set of privileges. But you as the operator can maintain the maximum level of privileges related to the Docker daemon,” Messina said.
“Ultimately this is setting up a very interesting path for more and more providers hosting containers and hosting Docker on bare metal.”
User namespaces and hardware signing is included in the 1.9 Experimental release. And image scanning and vulnerability detection is now available for all Official Repos on Docker Hub.