Container technology like Docker is a threat to virtualization technology companies like VMware because it offers many of the same benefits.
In fact, in some areas containers offer bigger benefits than virtualization. For example, you can run more containers than you can virtual machines on a single host — because containers are more lightweight and consume fewer resources than their fully fledged virtual machine brothers.
But if there is one area that is a potential cause for concern to container users, that area is security. Put simply, it's a problem because containers running on the same host share the same operating system.
That means there's not the same level of isolation between applications that exists when applications run on separate operating systems in separate virtual machines on the same host.
Companies like VMware have been quick to capitalize on these security fears, drumming in to customers who may be thinking about containers the message that containers and virtualization technology are better together. So by all means, reap the benefits of containers, but make sure they are wrapped up in the security of virtual machines and the infrastructure that surrounds them.
The message is a powerful one because container technology is much less mature than virtualization technology. That means that less has been done in the way of developing security and management products to form a comprehensive software ecosystem around containers.
Containerization Security Starting to Take Form
But things are beginning to change: this type of software ecosystem is starting to emerge, and its sophistication is increasing.
A good example of this is a new startup called Twistlock, which emerged from stealth mode last month. Twistlock has unveiled the first security suite for containers, designed to give enterprises more visibility and control over container-based applications and data.
Why the name Twistlock? It turns out that in the shipping industry a twistlock is a piece of equipment used to secure containers. Clever, huh?
According the company, the suite is designed to address risks both on the host and within the application in the container, enabling enterprises to enforce security policies consistently, monitor and audit activity, and identify and isolate threats in a container or cluster of containers.
The Twistlock security suite lets users:
- Monitor both static container images and runtime container applications to identify risks.
- Specify security baselines to ensure the host has been hardened and the application meets certain quality and security standards before it can be pushed into production.
- Protect containers deployed both in the cloud and on-premises in a virtual data center.
The Twistlock suite comes in the form of an open-source component as well as an enterprise solution. The open source part is targeted at developers, and enables the enforcement of security "quality gates" on containers before the developers that create them can push them out into production.
The other part is designed for security operation teams and provides a centralized location from where security can be configured and monitored across the various container clusters the organization uses.
This works using an agent installed on each container host, allowing the inspection of operations done by the container manager daemon, and also a low-footprint inspection of certain container elements at run-time. Data collected by these host-based agents is then sent back to the central Twistlock server for analysis on a management console.
It's probably not worth going into great detail about how the software works or what exactly it does right now. What's more important is that this type of security software is beginning to emerge to "fill the gaps" in the existing infrastructure that supports containers. Something similar happened when server virtualization technology was in its infancy.
Twistlock certainly has credibility: it was founded by Ben Bernstein and Dima Stopel, who both spent more than 10 years in the Microsoft R&D center in Israel, and who also served in the Israel Defense Force's (IDF) formidable intelligence corps. And so far the company has received $2.5 million funding from San Francisco-based YL Ventures.
All of this is good news for companies beginning to look seriously at containers.
But it's not so good for VMware and other peddlers of server virtualization technologies. That's because as the containerscape matures, the case that virtualization and containers are "better together" gets weaker. And that means containers will become even more of a threat to their businesses.
Paul Rubens is a technology journalist and contributor to ServerWatch, EnterpriseNetworkingPlanet and EnterpriseMobileToday. He has also covered technology for international newspapers and magazines including The Economist and The Financial Times since 1991.