Written by Ash Wilson, Strategic Engineering Specialist, CloudPassage

Thanks to Docker, containers are now the future of web development. Linux Containers, such as LXC or Solaris Zones, have existed since the mid-2000s, but containers weren't widely used outside of large tech companies such as Google until Docker was first released at PyCon in March 2013. In March 2014, LXC was replaced by libcontainer as the default execution environment, and container adoption for the building of cloud native apps and microservices exploded. According to the 2017 Docker Adoption survey by Datadog, 15 percent of Datadog's customers currently run Docker.

As a result of this relatively recent surge in popularity, organizations naturally separate into several different stages of Docker adoption. Here's the breakdown:

• Beginner: The organization is testing Docker and validating how they might benefit by transitioning from monolithic to containerized apps. This includes investigating the implications of security and compliance requirements.
• Intermediate: The organization already deploys containerized applications in production and is in the process of implementing security tools into DevOps pipelines and runtime environments.
• Advanced: The organization has already transformed the majority of their apps to containerized apps and microservices. Most cloud workloads are running containers.
  

As with the introduction of any new technology, a majority of organizations fall into the "beginner" or "intermediate" maturity categories for deploying Dockerized apps in production. In addition to development and deployment best practices, these organizations are also trying to determine how to meet the security and compliance requirements for Docker images and containers. Because containers run on a shared host and typically incorporate multiple service components to deliver a complete solution, there are many considerations required to secure container environments. They allow greater resource sharing on computer systems, but also create unique security challenges.

Achieving perfect security is much like achieving perfect physical health. We do our best to get as close as we can. Because you can't do everything all at once, solutions to security issues need to be prioritized according to risk, cost of implementation, and impact. With that in mind, if you are a beginner or intermediate adopter of Docker containers, be sure to focus on these five areas when formulating your security and compliance programs:

1. Integrate security & compliance early in the DevOps pipeline - Fixing security issues in containers post-deployment is far more expensive than at build time. You should consider integrating container image scanning solutions into the CI tools used by developers-such as Jenkins and Atlassian Bamboo. This will help you identify issues in container images such as vulnerable packages and embedded secrets during the build process where you can choose to automatically fail the builds that don't meet your security policy. This also enables rapid security-related feedback for developers.
2. Monitor & scan container images - Security starts with visibility. DevOps teams use images registries such as Docker Private Registry, Amazon ECR, and jFrog Artifactory to distribute container images. You should monitor the images hosted in these image registries. This will help you to achieve visibility into container images used across your organization, as well as security issues in those images. Scanning pre-production images can enable a more proactive security posture.
3. Monitor containers - Visibility into running containers themselves is as critical as the images they're instantiated from. Identifying containers that are based on an unsafe image, or come from unknown sources, will ensure you're not running vulnerable or misconfigured containers. In addition, it is important to get visibility into containers that are running in privileged mode, or those that aren't running in read-only mode.
4. Secure hosts running containers - Containers are only as secure as the hosts they run on. Host operating systems and installed software packages (including the Docker engine) can have vulnerabilities or can be misconfigured, leading to security gaps which then impact all containers running on the host.
5. Audit all activities - Be sure to audit the container delivery process through the entire DevOps pipeline by monitoring Docker engine events, and integrating them with SIEM tools such as SumoLogic, Splunk and ElasticSearch. By implementing the above, you should also be able to generate detailed vulnerability and configuration assessment reports to meet compliance requirements.
   

Containers are fast becoming a popular approach to delivering agile applications. Securing containers doesn't come without challenges. Following these best practices will help you to get even closer to the ideal of perfect security in a containerized environment.

##

About the Author

Ash Wilson is originally from Apison, Tennessee, and has been living in San Francisco since 2012. He has been a paid tech worker since March 2000, and a hobbyist long before that. He came to security via network engineering and systems administration. Ash spent the last seven years in post-sales engineering and strategic engineering for security product companies, and currently works for CloudPassage.