It has been just over three years since initial release of Docker (1.0 was released in March 2013) and adoption rates are striking – or potentially alarming depending on your organization’s level of readiness.

Recent research from Datadog for example, found that among the over 7,000 organizations they tracked, approximately 2/3 of those that evaluated container technology (specifically Docker) eventually adopted it and that most of those moved the technology directly into production within the first 30 days of use.

If that isn’t striking enough, the recent “State of Containers and the Docker Ecosystem 2015” report from Ruxit and O’Reilly Media found that 93% of respondents are already using – or plan to use – containers for development, testing or production, and that 53% of respondents plan to adopt containers in production within the next year.

Put simply, it’s unquestionable at this point that we’re in the throes of a major transformation.

It has been almost a year to the day that we first published a few quick tips for practitioners about how to get their organization ready for this first wave of container adoption. However, the landscape is changing.

Given the amount of interest (as observed through the adoption statistics), one would expect to see innovation in this space as those in the marketplace seek to meet the rapid onset of customer demand; specifically, as customers seek to integrate containers into traditional security tools and methods.

And, in fact, this is exactly what we’ve seen.  Vendors like Aqua, Twistlock, and others have made available specialized products that help answer the security story, while advances in the container engines themselves (for example the 1.10 Docker release) help increase the robustness of the security aspects of container production use.

From the point of view of a practitioner, this is both good news and bad news.  T

he good news is that they have more options to consider as they plan out their strategy for securing the containerized environment; it allows them to plan a more mature and sophisticated approach.  As solutions emerge, they can evaluate the utility of those tools against their unique needs and select those that best address the challenges they have.

The bad news though is that, at least during the initial phases of adoption, the marketplace is likely to change quickly.  New players will emerge, individual suppliers will change direction in response to changing market conditions and customer demand, more established players are likely to find themselves merging into larger and more established players.  All of this is likely to occur at the same time that changes to the underlying container platforms cause rapid shifts in the need for – and the application of – these companion products.

Becoming a Smart Buyer

Given this dynamic, the onus is on the buyer to be savvy about purchases they make – to be a smart buyer.  This is of course true of any purchase, but it’s particularly so here.  Why? Two reasons.

First, as outlined above, the market is dynamic. Not only must solutions serve their purpose today, but today’s investments need to stay relevant tomorrow.  Second, because usage can start small (for example among populations of individual developers) and build (expanding to broader teams), the potential for shadow adoption is high.  Because of this, we need to pick solutions that can be fielded quickly and that can account for usage we discover on the fly.

Doing this well starts with requirements (that’s not “sexy” but it’s the truth).  Start with the scope of your own usage.  How are you using containers?  In the cloud or on premise only?  Is it just for development and staging or are you using them in a production context as well?  Will containers be used to store/process/transmit data that is governed by specific regulatory requirements like PCI or HIPAA?  Will they be part of an IT audit?  Is the scope just Docker – or does it include AppC and Rocket as well?  These are all important questions that will have a bearing on the risk decisions you make.  It might take some legwork to answer these questions.

Likewise, you’ll obviously want to understand what you’re hoping to accomplish (from a security standpoint) and what you’ll expect to get back from the tools or services you select.  Is monitoring capability most important to you?  If so, you’ll probably want to emphasize SIEM integration and monitoring features.  However, if access control and policy enforcement is the itch you’re looking to scratch, those features rise in importance.

Particularly important to pay attention to as you do this is the degree to which the choices you select will integrate with processes you have – and what you anticipate processes to become – as you transition to a containerized environment.  Rani Osnat, VP Marketing at Aqua, highlighted the impact of this last point in particular (and the often unexpected speed with which processes can change) saying that, “Containerized environments often work at DevOps speeds. Make sure that policy creation, policy updates, and security enforcement are all automated and integrated with CI/CD and orchestration tools.” 

Once you have an idea about your existing usage and your expectations, this is the time to approach the vendor space.  Given the pace at which containerization is being deployed in many shops, there may not be “oceans” of time to respond to an actual container usage scenario.  Should you locate one being used – or alternatively a use case that doesn’t (currently) support the production environment or that is otherwise limited in scope could expand quickly leaving you struggling to respond.

As such, it might be advantageous to spend some time evaluating the space even in advance of a migration to full-blow usage.  The time you spend now could very well pay for itself down the road.

Ed Moyle is Director of Thought Leadership and Research for ISACA.  Prior to joining ISACA, Ed was a founding partner of the analyst firm Security Curve.  In his more than 15 years in information security, Ed has held numerous practitioner and analyst positions including senior manager with CTG’s global security practice, vice president and information security officer for Merrill Lynch Investment Managers, and senior security analyst with Trintech.  Ed is co-author of Cryptographic Libraries for Developers and a frequent contributor to the Information Security industry as author, public speaker, and analyst.  

Leave a Reply