"The bigger issue is enterprises having to come to terms and understand what security means [regarding] containers, because it's different than virtual machines," said Dave Bartoletti, principal analyst with Forrester Research, Inc., in Cambridge, Mass.
Virtual machines (VMs) have a full operating system (OS), isolation, direct hardware access and a mature industry around them. Docker containers, however, are Linux processes that run on an OS, meaning anyone with access to root privileges can start and stop containers, or perform some other nasty task, if access isn't hardened, Bartoletti said.
It's an issue that remains largely unsolved, as vendors, including Red Hat Inc. and Joyent, approach the challenge differently. But with everyone from IBM to Microsoft focusing on container security, improvements are likely over the next year.
For now, container security is as much about process and governance as it is about technology. Experts urge organizations to only use application containers with strongly guarded permissions, and to monitor the underlying OS. Private Docker image repositories kept in databases behind firewalls are another solution.