Earlier this week Docker laid down on paper standards for container security in its ecosystem. Now the latest of what is likely to be a slew of third-party, enterprise-oriented security solutions for Docker has arrived.
Twistlock, the name of both the company and the product, is described by its creators as "an end-to-end security solution that addresses the number one obstacle to adoption of containers." That obstacle is security, which Twistlock professes to address by adding multiple layers of monitoring to the way Docker containers work.
Co-founded by Ben Bernstein and Dima Stopel, ex-members of Microsoft Israel's R&D team, Twistlock's description of the security problems of Docker containers echoes one common complaint: Containers are opaque, "as security operations teams only see a virtual machine (or groups of machines) running unknown processes being accessed by large numbers of remote machines," Twistlock says in its press release.
To counter this, Twistlock provides a slew of monitoring and auditing tools for containers. Aside from monitoring Docker images to identify possible risks, the host is also checked to ensure it meets certain "security baselines" (presumably similar to those outlined by Docker). Audit information can be generated about containers' contents or about security measures being applied to them at runtime, and security policies can be configured for containers.
The company plans to offer open source components, including one that allows developers to "plug security gates to Docker images being sent to production," as well as making ongoing contributions to the Docker project for the sake of security. But the most vital part of Twistlock's enterprise offering, the module that provides introspection into containers, will be offered as an "SLA-backed, closed-source" product.
Docker is a fast-moving project facing great pressure to provide good security for its users. What are the odds Docker will eventually provide much, or all, of this functionality? In an email, Bernstein said that while "Docker's success is our success," he believes Twistlock could "build the next layer, the one that goes beyond host hardening, the one that is usually developed by enterprise security software companies, not by the platform companies."
One theoretical advantage open source projects have over commercial ones is being better able to meet the challenges posed by modern IT's security requirements. Perhaps Docker can avoid the trap of becoming another platform whose shortcomings are all addressed by third-party management. But if not, there are any number of third parties -- Twistlock among them -- waiting to step in and do the job for a fee.