Open-source application container project Docker got a mostly clean bill of health in a new study from Gartner Inc. released last week. Gartner had mostly high marks for the software despite some reservations about the maturity of the container technology’s security.

Depending on the use case and the controls required, Linux containers are mature enough to be used as private and public platform-as-a-service, Gartner said in its "Security Properties of Containers Managed by Docker," report. That’s the case even in mixed environments, involving multiple trust levels, security zones, or potentially hostile tenants, additional safeguards such as SELinux might be necessary.

The report also pointed out that containers managed by Docker are effective in isolating resources, almost as much as the controls offered by hypervisors and the Linux operating system itself in secure operations management and configuration governance.

Docker containers, however, "disappoint when it comes to secure administration and management, and to support for common controls for confidentiality, integrity and availability," wrote report author and Gartner research director Joerg Fritsch.

Hypervisor or Not?

The document also suggested that it might not help to run Docker inside a hypervisor.

"In the majority of cases, Docker might be deployed on top of guest servers that are on top of hypervisors," wrote Fritsch. "However, except for a further fortification of resource isolation, there is little to be gained from the underlying hypervisor. Docker and containers cannot inherit from the hypervisor what they lack most: secure administration and management features, and support for common controls for confidentiality, integrity and availability."

Still, Fritsch pointed out that containers can actually provide an additional level of virtualization and security when they are running on top of virtualized systems, such as hypervisors or cloud infrastructure.

Tools in the Wings

We reached out to Paul Burns, founder of IT analyst firm Neovise, who told us that as an exciting newcomer, Docker has become popular so quickly that there has been little time to develop a full complement of management tools around it.

"So, when it comes to security tools, there is plenty of room for improvement," Burns said. "This is not to say that Docker is insecure. It has more to do with establishing best practices for security in many, many different use cases."

Burns added that those best practices also include building tools and processes that automate settings, allowing Docker containers to be securely managed on a large scale.

Docker is meant to free developers from software and infrastructure dependencies, leading to cost savings and other efficiencies by automating the creation and deployment of apps in containers. Gartner's Fritsch said that companies might be better off adopting Docker technology but acknowledging its complexity and newness.

"Start with simple deployments until the de facto standards for container management and SDNs in containerized environments become clear," he wrote.

"As with any technology -- both new and well established -- IT architects and admins need to validate that they are using the right tool for the job," advised Neovise’s Burns. "For instance, I don¹t see anyone using Docker containers as the basis for server multi-tenancy in a public cloud. That may come with time. But I do see people using containers within dedicated, virtual and cloud servers."