The organization at the heart of modern open-source cloud-computing standards has taken another two projects under its umbrella, tackling container security for the first time.
Members of the Cloud Native Computing Foundation have voted to absorb Notary and TUF into the group, it plans to announce Tuesday at the Open Source Summit Europe in Prague. Notary, the first project, is an implementation of The Update Framework (known as TUF) specification for ensuring the right containers are running in the right places.
Notary was developed at Docker, and it allows software development teams to “sign” their containers with a certificate that verifies the author is someone with permission to deploy that container, said Nathan McCauley, director of security at Docker. It also verifies that the container hasn’t been tampered with along the way, and multiple signatures can be attached to a container as it moves through the software development process.
It’s based on TUF, the second project coming into the CNCF Tuesday. TUF is a specification that was developed by Justin Cappos while he was a researcher at the University of Washington and refined during his tenure at NYU as a professor.
Think of the relationship between TUF and Notary like that of the relationship between the HTTP protocol and a web browser, he said. HTTP is the underlying plumbing that makes everything happen, but it’s not really useful without a browser.
TUF makes it harder for attackers to compromise an entire network if they manage to hack into a server, Cappos said. It does that by providing a way to assign different kinds of cryptographic keys to software components as they are developed, so that if one key or server is compromised, the whole thing doesn’t collapse.
Container security was an early concern for teams thinking about containerizing their applications, but Docker, which is nearly synonymous with the rise of the containers, developed Docker Content Trust in 2015 in hopes of allaying those concerns. Container adoption has exploded since then, and Docker hopes Notary will allow other teams working on products and services around containers to implement better security practices, McCaley said.
“Good security solutions are few and far between,” he said. “When something is good, it’s good for us for it to end up in the CNCF.”
The CNCF, which counts Docker and just about every major player involved in cloud computing as a platinum member, now administers 14 open-source projects. Container orchestrator Kubernetes is the flagship project under the foundation, which provides development resources towards projects selected for inclusion.
McCauley said it was too early to know whether Notary would become the security blanket for Kubernetes, given that it’s the first security-focused project accepted into the CNCF, but noted that Kubernetes these days appears to be moving in a more decentralized direction, allowing users to plug in custom components over the basic project.