As Docker has grown in popularity, so has the number of container security platforms available to help harden Docker environments against attack. Here’s an overview of the container security landscape today and how it is likely to evolve in the future.
Container security tools and platforms fall into two main categories:
- Open-source tools, most of which were developed as parts of larger container projects such as Docker and CoreOS.
- Commercial security platforms from new companies that focus exclusively on the container security space.
Let’s take a look at how each of these categories breaks down.
Open-Source Container Security Tools
In Docker’s early years, security add-ons were not a priority for Docker developers. They were more focused on building the core Docker container platform.
That changed in the first half of 2016, when two major open-source security tools for Docker appeared. One was Clair, an image scanning tool developed by CoreOS. The other was Docker Security Scanning, a similar tool developed by Docker.
Both of these tools help to secure one particular layer of a containerized software stack: the image registry. They are integrated into the hosted registry services offered by CoreOS (Quay) and Docker (Docker Hub). They can be used offline as well.
Open-source security tools for other parts of the container stack remain more elusive.
Commercial Container Security Vendors
The list of startups that specialize in end-to-end container security solutions is now relatively long. These vendors aim to fill in the security gaps in a container stack built using open-source tools.
Vendors in this category include:
- FlawCheck (now owned by Tenable)
- Sysdig (Sysdig focuses mostly on container monitoring, but if now offers an open-source tool, Falco, for anomaly detection in containerized environments)
Most of these vendors offer platforms that combine analytics-based anomaly detection with container image management, access control and container runtime hardening.
The Future of Container Security
While the number of vendors in the container security market is now sizeable, this is still a very young ecosystem. Going forward, the market is likely to see the following:
- The entry of more established security companies into the container security world. To date, almost all of the vendors in this space are startups that focus exclusively on container security. Traditional security vendors have not yet shown much interest in supporting containers. That is likely to change as the importance of the market grows and more established vendors either extend their functionality to support containers or acquire the startups that already have this technology.
- Support for securing containers other than Docker. So far, the container security world has focused on Docker stacks. Other types of container technologies have received less attention. That makes sense, because Docker dominates the market currently. But as other types of container platforms—system containers, unikernels and more—grow in popularity, a market will develop for security tools that harden them.
- Security solutions for Docker on Windows. If Docker is going to become a true production-ready technology on Windows, users will need a way to secure it. The existing Docker security solutions focus mostly on components that would exist only in a Linux-based Docker environment.