Written by Ash Wilson, Strategic Engineering Specialist, CloudPassage
Thanks to Docker,
containers are now the future of web development. Linux Containers, such as LXC
or Solaris Zones, have existed since the mid-2000s, but containers weren't
widely used outside of large tech companies such as Google until Docker was
first released at PyCon in
March 2013. In March 2014, LXC was replaced
by libcontainer as the default execution environment, and container adoption for
the building of cloud native apps and microservices exploded. According to the 2017 Docker Adoption survey by
Datadog, 15 percent of Datadog's customers currently run Docker.
As a result of this relatively recent surge in popularity,
organizations naturally separate into several different stages of Docker
adoption. Here's the breakdown:
- Beginner:
The organization is testing Docker and validating how they might benefit
by transitioning from monolithic to containerized apps. This includes
investigating the implications of security and compliance requirements.
- Intermediate:
The organization already deploys containerized applications in production
and is in the process of implementing security tools into DevOps pipelines
and runtime environments.
- Advanced:
The organization has already transformed the majority of their apps to
containerized apps and microservices. Most cloud workloads are running
containers.
As with the introduction
of any new technology, a majority of organizations fall into the "beginner" or
"intermediate" maturity categories for deploying Dockerized apps in production.
In addition to development and deployment best practices, these organizations
are also trying to determine how to meet the security and compliance
requirements for Docker images and containers. Because containers run on a
shared host and typically incorporate multiple service components to deliver a
complete solution, there are many considerations required to secure container
environments. They allow greater resource
sharing on computer systems, but also create unique
security challenges.
Achieving perfect security is much like achieving perfect physical
health. We do our best to get as close as we can. Because you can't do
everything all at once, solutions to security issues need to be prioritized
according to risk, cost of implementation, and impact. With that in mind, if
you are a beginner or intermediate adopter of Docker containers, be sure to
focus on these five areas when formulating your security and compliance
programs:
- Integrate security & compliance early in the
DevOps pipeline
- Fixing security issues in containers post-deployment is far more
expensive than at build time. You should consider integrating container
image scanning solutions into the CI tools used by developers-such as
Jenkins and Atlassian Bamboo. This will help you identify issues in
container images such as vulnerable packages and embedded secrets during
the build process where you can choose to automatically fail the builds
that don't meet your security policy. This also enables rapid
security-related feedback for developers.
- Monitor & scan container images - Security starts
with visibility. DevOps teams use images registries such as Docker Private
Registry, Amazon ECR, and jFrog Artifactory to distribute container
images. You should monitor the images hosted in these image registries.
This will help you to achieve visibility into container images used across
your organization, as well as security issues in those images. Scanning
pre-production images can enable a more proactive security posture.
- Monitor containers - Visibility into running
containers themselves is as critical as the images they're instantiated
from. Identifying containers that are based on an unsafe image, or come
from unknown sources, will ensure you're not running vulnerable or
misconfigured containers. In addition, it is important to get visibility
into containers that are running in privileged mode, or those that aren't
running in read-only mode.
- Secure hosts running containers - Containers are
only as secure as the hosts they run on. Host operating systems and
installed software packages (including the Docker engine) can have vulnerabilities or can be misconfigured, leading to
security gaps which then impact all containers running on the host.
- Audit all activities - Be sure to audit the container
delivery process through the entire DevOps pipeline by monitoring Docker
engine events, and integrating them with SIEM tools such as SumoLogic,
Splunk and ElasticSearch. By implementing the above, you should also be
able to generate detailed vulnerability and configuration assessment
reports to meet compliance requirements.
Containers are fast becoming a popular approach to delivering
agile applications. Securing containers doesn't come without challenges.
Following these best practices will help you to get even closer to the ideal of
perfect security in a containerized environment.
##
About the Author
Ash Wilson is originally from Apison, Tennessee, and has been
living in San Francisco since 2012. He has been a paid tech worker since March
2000, and a hobbyist long before that. He came to security via network
engineering and systems administration. Ash spent the last seven years in
post-sales engineering and strategic engineering for security product
companies, and currently works for CloudPassage.