Container security was initially a big obstacle to many organizations in adopting Docker. However, that has changed over the past year, as many open source projects, startups, cloud vendors, and even Docker itself have stepped up to the challenge by creating new solutions for hardening Docker environments. Today, there is a wide range of security tools that cater to every aspect of the container lifecycle.
Docker security tools fall into these categories:
Kernel security tools: These tools have their origins in the work of the open source Linux community. They have been inherited by container systems like Docker as foundational security tools at the kernel level.
Image scanning tools: Docker Hub is the most popular container registry, but there are many others, too. Most registries now have solutions for scanning container images for known vulnerabilities.
Orchestration security tools: Kubernetes and Docker Swarm are the two most popular orchestrators, and their security features have been gaining strength over the past year.
Network security tools: In a distributed system powered by containers, the network is more important than ever. Policy-based network security is gaining prominence over perimeter-based firewalls.
Security benchmark tools: The Center for Internet Security (CIS) has provided guidelines for container security, which have been adopted by Docker Bench and similar benchmark security tools.
Security with CaaS platforms: AWS ECS, GKE and other CaaS platforms build on the security features of their parent IaaS platform, and then add container-specific features or borrow security features from Docker or Kubernetes.
Purpose-built container security tools: This is the most advanced option for container security. In it, machine learning takes center stage as these tools look to build an intelligent solution to container security.
Here’s a cheatsheet of Docker security tools available as of mid-2017. It’s organized according to which part of the Docker stack the tool secures.
A continuous security assessment tool that scans for vulnerabilities against the CIS benchmark, and more.
Making Sense of the Docker Security Tool Landscape
Compare architectures, feature sets, and usability of Kubernetes and Docker Swarm. Download the guide
This is truly a diverse list of Docker security tools. What becomes clear when we view this list is that Docker security requires a combination of many tools working together. Each tool has its own strengths and focus areas. There are solutions available for every layer of the container stack—kernel, registries, network, orchestration, and CaaS platforms. And the best part is that most of these tools are great at integrating with each other, or at least the most commonly used tools in container workloads.
By knowing each of the tools, and what makes them unique from the others, you can ensure a bulletproof container environment that can run production workloads at enterprise scale. That was always the promise of Docker, and container security tools are making that promise a reality.
Twain began his career at Google, where, among other things, he was involved in technical support for the AdWords team. His work involved reviewing stack traces, and resolving issues affecting both customers and the Support team, and handling escalations. Later, he built branded social media applications, and automation scripts to help startups better manage their marketing operations. Today, as a technology journalist he helps IT magazines, and startups change the way teams build and ship applications.