Virtualization is now the norm in data centers around the world, and with it have come new security challenges. Most virtualization is deployed today with a traditional hypervisor virtual machine (VM) model, using technologies from VMware or the open source KVM or Xen projects. Now, however, there is another way to deploy virtualization -- and it could revolutionize the way virtual security is done.
Docker, an open source technology built on top Linux Containers (LXC), utilizes a host operating system on which containers reside and provide isolated units for applications. Docker operates in stark contrast to the traditional hypervisor model, where the hypervisor also sits on top of a host operating system, but each virtual machine also needs its own operating system image.
In a video interview with eSecurity Planet, Ben Golub, CEO of Docker Inc., the lead commercial sponsor behind Docker, explains how and why Docker presents a better security approach to virtualization than traditional hypervisors.
Golub admitted that containers are not fully secure. He explained that currently the security vulnerability of containers is that people need to choose the right things to enable and the right things not to enable. That said, Golub is confident that Docker container technology is more secure than traditional VMs.
"When you think about it, every VM has an operating system that can be a different version running on top of a host," Golub said. "If you think about the serious vectors of attack, it tends to be that someone has figured out a way to compromise an operating system and the only way to patch it is to rebuild all the VMs."
Easier to Patch
The Docker model is different. Since all the containers sit on the same host operating system, if there is a flaw in the operating system it only needs to be patched once. The impact of only needing to patch once is extremely relevant for large scale data center virtualization environments when hundreds or thousands of VMs are deployed.
In the Docker container model the application is the item that is virtualized, providing a leaner more agile model that is also easier to patch for security vulnerabilities.
"With Docker it's trivially easy to update different containers running in different locations," Golub said. "You basically just pull down the diffs."
"There is a practical point to security, which is how easy it is to fix things, and on that point I think containers win hands down," Golub said.
Watch the video interview with Ben Golub, CEO of Docker, below:
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.