Learning from a Detailed Security Analysis of Containerised Technologies

Container technologies, particularly Docker Engine, have been gaining significant popularity and adoption for building development and operational virtualised infrastructures. An increasing number of cloud technologies have started integrating container technologies into their platforms. While the performance and scalability advantages of containers are well known, there have been a number of concerns about the security of container-based solutions.

Through our ongoing collaboration with Defence Science and Technology Group we have just completed a project focused on extensively studying and analysing security of container technology, Docker. This project involved several other strategically important evaluative milestones about which I’ll write separately. Here is the report on security analysis of Docker for building private cloud. A few key points of this report are: 

This report covers the objectives, setup, evaluation procedure, and results of a security analysis of container technologies when integrated into an OpenStack private cloud system. This projects’ main scope was to evaluate the security of various methodologies of deploying containers into the cloud such as compute hypervisor drivers and different orchestration engines within OpenStack.

Through an extensive research study to achieve the objectives of this project, we have identified various challenges in managing the risk of private clouds while deploying containers in a cloud. We have concluded that it is quite a challenging task to deploy a secure cloud as this task needs to systematically gather and process a large volume of constraints and information into consideration, particularly with regards to the impact of security isolations of container technologies (this is covered in Volume 2 – Container Isolation). One of the identified outcomes of the previous project was that deep understanding of the required configurations of a cloud solution was necessary to provide a working cloud. In order to provide a secure cloud, however, the understanding of the required configuration needs to be much deeper as the options outlined to create a working cloud may cause security flaws in the system to be exposed.

This work has also identified some key areas for investigation in order to further the understanding and capabilities of utilising a private cloud system for submarine mission systems. Some of the key areas include but not limited to are building an image trust framework, secure virtualised networking systems, and building domain specific tools for orchestrated deployment of required components.

The findings outlined in this report are to give practitioners a working knowledge of the security risks and concerns related to deploying container technologies within the cloud. The second volume of this report discusses the isolation mechanisms of various container technologies when utilised outside of a cloud. This is important due to the security dependency of the containerised cloud on these technologies. The third volume of this report discusses the usability and performance of container technologies. This is important as security may be the most important but certainly not the only one quality attribute of a system that needs to be considered when deciding about the technologies for building and leveraging virtualised solutions with containers.