GaLeon - Fotolia

Azure and Docker CTOs muffle container security 'noise'

In part two of this Q&A, Docker and Microsoft Azure CTOs address container security and how it will play out with Windows and Hyper-V containers.

Docker and Microsoft want to carry the buzz around Linux containers over to the Windows ecosystem with launch of the next Windows Server in 2016. In part one of SearchWindowsServer 's interview with Docker CTO and co-founder Solomon Hykes and Microsoft Azure CTO Mark Russinovich, they discussed the efforts to port the Docker tools to Windows, the impact of containers on Windows sales and the emerging competition around orchestration.

In part two, they discuss lingering questions about container security, steps being taken to address those issues in Windows Server and the future of the partnership between the two companies.

You still hear criticisms about container security. Are those concerns valid and what still needs to be improved?

Solomon Hykes: There is a lot of noise around Docker and security out there. In my experience, you really need to have some sort of a filter to understand how much of that is actual technical discourse and how much of it is a random combination of words trying to make people scared.

The biggest thing to remember is that 90% of the heavy lifting is not done by Docker in terms of low-level systems building blocks; it’s done by the underlying operating system. The biggest reservation I have on all these stories around Docker security is a lot of times it's not about Docker security; it's about the security of Linux containers and the particular OS. Depending on the kinds of systems you're orchestrating with Docker, you're going to see a different security picture.

Because so far Docker has almost exclusively been running on Linux hosts, you're seeing a lot of security analysis of what Linux containers can do to isolate applications, and I guess that's a good thing. More eyeballs on the problem.

Now we're widening the range of operating systems and the profile in Windows is going to be completely different. … That will require a whole new security analysis and my guess is that the outcome will be very positive. On top of that I would say security is multi-layered and one important aspect of security is better management -- better visibility into what's going on. The benefits of automating your deployment and having a better handle on what's going on across many different machines and containers is overwhelmingly positive for security in general.

There is a lot of noise around Docker and security. … You really need to have some sort of a filter to understand how much of that is actual technical discourse and how much of it is a random combination of words trying to make people scared.
Solomon Hykes, Docker CTO and co-founder

Overall, the trend is positive but we have to be cautious and conservative. We're being very careful not to mislead. We've always been the first to say, 'OK, with this configuration be careful. This is what is known to be OK in production.'

How does Microsoft come down on the security questions?

Mark Russinovich: The question about containers and security is a very broad one and you need to get down to specifically what the person is talking about, whether it's managing containers or what kind of code you host in the containers.

We've got two types of containers we're releasing with Windows Server. Those are aimed at the different kinds of code you might host within a container and trust relationships between the host and other containers that you want to host. In our cloud, for example, we've got multi-tenant (platform as a service) that host code provided by customers and we call this a hostile multi-tenant environment because we have to assume they're hostile even though they might not be. Our bar for the isolation that we have around that kind of code is extremely high.

Mark RussinovichMark Russinovich

Of course, Hyper-V we trust as one of the security boundaries that we can focus that kind of code within, and that's why the Azure cloud has infrastructure as a service and platform as a service built on top of virtual machines where customer A's code goes into virtual machine one and customer B’s code  goes into virtual machine two. We're comfortable putting those machines in the same server because of the trust we have in that hypervisor.

When you talk about Windows Server containers, we're not comfortable with the level of isolation we get when it comes to hosting untrusted code from two different parties in the same virtual machine, and that is because they're sharing the Windows operating system kernel, which is a huge surface area, and if there was a way to attack the operating system (through denial of service) or elevate privileges that would allow them to break out of the container and access the host or other customers' containers.

So that's where Hyper-V containers come into play, and those are built basically with the same primitives that Hyper-V virtual machines are built. Each container gets its own copy of the Windows operating system, one that is optimized for running inside a container and is aware it's running inside a container. … That is what we would put this kind of hostile multi-tenant code within to have high-level assurance that it's isolated that way.

The container types are different, but the APIs that deploy code into them and the images are exactly the same, so it's really a decision that you can make. A developer can make it, or an IT pro can make it. … They can decide whether to put it in a Hyper-V container or Windows Server container. There is absolutely no change to the code or the application or the image or the API, other than sitting a flag on which container type you want.

Solomon HykesSolomon Hykes

Hykes: This is the perfect example of the separation of concerns. At Docker, we're not trying to come in and say this is how security is done in Windows or how security is done on Linux. Our job is to partner very deeply with platform makers like Microsoft to understand the different security profiles available, understand the fundamentals and then together expose an abstraction to developers that matters to them.

So in the scenario Mark is discussing, that might mean offering a few different options depending on the trust profiles of the application. Are you deploying in an environment where the payloads are created by the same trusted party, or are you deploying payloads from an untrusted third party?

For example, you're a customer because you're a platform provider of some sort. Depending on that, we want to expose in the Docker interface an easy way for you to make an informed decision, so that way I think we have an opportunity to actually improve the state-of-the-art security not by inventing some new fancy low-level technology, but by making the existing low-level technology actually more usable and in the process getting more people to actually use them, which I believe is one of the big bottlenecks of security out there.

There's amazing tech out there that could protect people and systems, but not enough people use them because they’re complicated or their buried at the bottom of the stack. That’s where a partnership like this could really shine.

Can customers expect other areas of differentiation from Linux environments?

Russinovich: Windows Server application compatibility and then the choice depending on the trust profile. It's not about differentiating; it's about providing customers the tools they need to offer containers on Windows Server.

Some have suggested Microsoft should buy Docker. I'm sure you've heard that talk. What's your reaction?

Hykes: We always hear that when a partnership is going well. I would say it's a good sign.

Russinovich: I'd agree.

Trevor Jones is a news writer for TechTarget’s Data Center and Virtualization Media Group. Contact him at [email protected].

Next Steps

Should you go all in with containers?

Enterprises slowly warm to Docker containers

How Docker fits in Red Hat's Linux container movement

Dig Deeper on Microsoft Azure cloud services