X
97138

DockerCon changes as Docker doubles down on servicing enterprise needs

May 23 2019
by Fernando Montenegro, Jean Atelsek


Introduction


As industry buzz around digital transformation continues unabated, there are two dynamics at play. First, there is a tremendous demand for innovation and improvement around the new technologies that are the fundamental building blocks of cloud-native: containers, orchestration and service mesh, among others. Second, there is the more down-to-earth, but still fundamental, aspect of getting those technologies into the hands of enterprise customers. This seems to be the focus for Docker as the key theme of this year's DockerCon conference.

The 451 Take

Thanks in large part to Docker's early leadership in the industry, delivering cloud-native and cloud-friendly applications on containers has exploded in popularity, unlocking benefits to customers and a vibrant community around containers and the surrounding technology. As the industry evolves, though, it brings both challenges and opportunities for the company. On one hand, a lot of the momentum on innovation has shifted to community-led efforts, such as Kubernetes and service meshes, forcing the company to catch up. On the other hand, it brings in potential customers eager to adopt new technology but wanting the comfort and simplicity of Docker's platform. As the company navigates turbulent waters – CEO Steve Singh announced that he's stepping down shortly after the event – the jury is out on how the company will evolve.

For those considering the security aspects of container environments, the good news is that there are significant capabilities built into platforms such as Docker Enterprise and its competitors, in addition to a well-established ecosystem of security vendors. We're hopeful that the new generation of container-based applications will indeed be more secure.

DockerCon


DockerCon attendance was visibly down from 2018, with an estimated 4,200 people attending (versus about 5,000 in 2018). The expo area seemed a bit smaller, as well, although the number of vendors attending was similar. The cause of this drop is likely a combination of factors. These include the significant rise in interest for the initiatives headed by the Cloud Native Computing Foundation (CNCF), which happens to be hosting a large event in Europe soon after DockerCon, and the usual conference glut, with DockerCon sandwiched between Google Next just a couple of weeks before and Microsoft Build, Red Hat Summit and KubeCon/CNCFcon Europe just after. Docker's own European event in 2018 was not too long ago.

Still, a large proportion of participants were attending DockerCon for the first time, indicating both demand for the company's offerings and new people coming into the industry. The company took the opportunity to showcase its products, as well as its community, with several awards to and testimonials from both enterprise customers and community supporters.

Docker for the enterprise


DockerCon veterans observed that this year's attendees were more enterprise-focused than in previous years, now that much of the developer community has decamped to KubeCon for open source and cloud-native goodness. To target this more business-oriented crowd, announcements and demos focused on the upcoming Docker Enterprise 3.0 release (now in public beta) and initiatives designed to support businesses as they modernize their IT estates with containers, while still allowing a measure of choice with common tooling across clouds and out to the edge.

Docker Desktop Enterprise is a seminal part of the company's enterprise approach and is already generally available; it will be fully integrated with the 3.0 release, which is expected in Q2. The goal is to accelerate container adoption by enterprise developers and reduce points of friction in app delivery pipelines. The program automatically generates scaffolding – including Dockerfiles, Compose files and CI/CD pipelines – by delivering the Docker Engine, complete with Swarm and Kubernetes orchestration, from the developer's desktop to the server/cloud. The company claims Docker Desktop Enterprise is interoperable with any IDE, programming language and app framework (emphasizing the freedom-of-choice theme), and enables centralized management for IT teams.

Other elements of Docker Enterprise 3.0 that were showcased at the event include Docker Kubernetes Service, which the company says is the only platform offering consistent desktop-to-server/cloud support for Compose, Helm and Kubernetes; Docker Applications, designed to simplify patching and app distribution by putting definitions and references in an immutable 'container of containers' with parameterized variables for 'code once, deploy anywhere' functionality; and Docker Enterprise-as-a-Service, which offers fully managed operations for on-premises (initially OpenStack), public cloud (initially AWS or Azure) and hybrid deployments, with on-demand provisioning and scaling, and consumption-based pricing.

The company is also expanding its enterprise-focused solution bundles, which were introduced in 2018 as MTA (modernize traditional applications), focusing on two use cases: re-platforming legacy Java and .NET applications for container operation, and modernizing brownfield deployments (monolithic apps that are still being developed with cloud-native elements). The company sees a lot of 'license takeout' happening as part of the MTA motion due to the impending end-of-life of Windows Server 2008 in 2020. In addition to MTA for legacy and brownfield applications, there is a new solution, Accelerate Greenfield, which will now also be available for greenfield, container-first deployments. MTA solutions consist of bundles incorporating Docker Enterprise, preconfigured stacks and automation tools, and professional services and training, delivered by Docker itself and in conjunction with SI partners.

Docker and security


Security within Docker was, paradoxically, both a secondary topic and, due to an untimely incident, a topic of interest at the conference. The Docker Enterprise offering includes several security features and promotes security by default on components such as the new Kubernetes service on upcoming version 3.0. Additional security announcements include support for PKI authentication and group-managed service accounts. The company also discussed support for a security abstraction layer that will be useful for leveraging hardware security modules.

Interestingly, security was more of an issue – the company disclosed a security incident within its public Docker Hub infrastructure just a few days before the conference. The incident affected a small portion of the user base – approximately 190,000 users, or 5% of its overall community – and is still being investigated. The incident also affected automated image builds for those accounts on external sites, highlighting the interconnected nature of the modern software supply chain. The issue was not related to its enterprise-focused Docker Trusted Registry offering.

Security vendors


Similar to how the rest of the conference seems to have shifted to a more focused message on supporting enterprises, the security vendors on the expo floor at DockerCon were, for the most part, making claims about how they can support those efforts. Security offerings made up approximately one-quarter of all sponsors. While a few vendors from 2018 were absent, new entrants kept overall numbers similar. Vendor presence included those focusing on distinct aspects of the lifecycle – build, ship and run – as well as those that have adopted a 'lifecycle approach' to container security. For a broader view into how we look at the container security market, please refer to our Container Security Market Map.

Vendors focusing on 'lifecycle' protection – from build through runtime protection – included Twistlock, Aqua Security, SysDig, StackRox and NeuVector, as well as well-known security vendors Trend Micro and Qualys. Twistlock claimed additional CIS compliance for its platform, while others didn't have specific announcements for the show. Aqua Security just completed a significant raise, Trend Micro is making headway with broader support for Kubernetes integration and Qualys was positioning the technology it recently acquired with Layered Insight.

Build-time security vendors focus on ensuring that container images are built securely, often through the use of software composition analysis functionality, either as a main offerings or as part of their broader product sets. This year's participants included Anchore, jFrog, Synopsys, White Source and Snyk. Synopsys has integrated its Black Duck acquisition, and discussed the role of its recent risk report and research centers. White Source highlighted increased container support.

Ship-time considerations deal with access control, secret management and more. Many of these features are increasingly built into the platforms themselves, such as Docker Enterprise, Rancher and others, not to mention the offerings from cloud providers. From a security perspective, it was interesting to observe two new vendors. CryptoMove is a startup looking to capitalize on the field of 'moving target defense,' a technique for protecting data and systems that relies on constant changes to the environment. The concept is well understood in academia and defense circles, and the company has employed it for protecting secrets in Kubernetes deployments. Styra is a startup that is providing a commercial offering based on the Open Policy Agent (OPA) project. OPA implements simplified policy management of many aspects of containers and Kubernetes deployments.

Runtime protection includes covering both network and host environments for container execution, but the focus for this year's vendors at DockerCon was primarily network-centric. Juniper has included container support in its datacenter-centric offerings, and Nginx positioned its load-balancing offerings. Signal Sciences highlighted the importance of application-security features with its WAF. Tigera was also offering enterprise-focused versions of its offering, based on the popular Calico framework.