Thanks to Docker, containers are now the future of web development. Linux containers such as LXC or Solaris Zones have existed since the mid-2000s, but containers weren’t widely used outside of large tech companies such as Google until Docker was first released at PyCon in March 2013. In March 2014, LXC was replaced by libcontainer as the default execution environment, and container adoption for building cloud-native apps and microservices exploded. According to the 2017 Docker Adoption survey by Datadog, 15 percent of Datadog’s customers currently run Docker.
As a result of this relatively recent surge in popularity, organizations naturally separate into several different stages of Docker adoption. Here’s the breakdown:
- Beginner: The organization is testing Docker and validating how it might benefit by transitioning from monolithic to containerized apps. This includes investigating the implications of security and compliance requirements.
- Intermediate: The organization already deploys containerized applications in production and is in the process of implementing security tools into DevOps pipelines and runtime environments.
- Advanced: The organization has already transformed the majority of their apps to containerized apps and microservices. Most cloud workloads are running containers.
As with the introduction of any new technology, a majority of organizations fall into the “beginner” or “intermediate” maturity categories for deploying Dockerized apps in production. In addition to development and deployment best practices, these organizations are trying to determine how to meet the security and compliance requirements for Docker images and containers. Because containers run on a shared host and typically incorporate multiple service components to deliver a complete solution, there are many considerations required for securing Docker containers. They allow greater resource sharing on computer systems, but they also create unique security challenges.
Achieving perfect security is much like achieving perfect physical health. We do our best to get as close as we can. Because you can’t do everything all at once, solutions to security issues need to be prioritized according to risk, cost of implementation and impact. With that in mind, if you are a beginner or intermediate adopter of Docker containers, be sure to focus on these five areas when formulating your security and compliance programs:
- Integrate security and compliance early in the DevOps pipeline – Fixing security issues in containers post-deployment is far more expensive than at build time. Consider integrating container image scanning solutions into the CI tools used by developers, such as Jenkins and Atlassian Bamboo. This will help you identify issues in container images such as vulnerable packages and embedded secrets during the build process where you can choose to automatically fail the builds that don’t meet your security policy. This also enables rapid security-related feedback for developers.
- Monitor and scan container images – Security starts with visibility. DevOps teams use images registries such as Docker Private Registry, Amazon ECR and jFrog Artifactory to distribute container images. Monitor the images hosted in these image registries. This will help you to achieve visibility into container images used across your organization, as well as security issues in those images. Scanning pre-production images can enable a more proactive security posture.
- Monitor containers – Visibility into running containers themselves is as critical as the images they’re instantiated from. Identifying containers that are based on an unsafe image or come from unknown sources will ensure you’re not running vulnerable or misconfigured containers. In addition, it is important to get visibility into containers that are running in privileged mode or those that aren’t running in read-only mode.
- Secure hosts running containers – Containers are only as secure as the hosts they run on. Host operating systems and installed software packages (including the Docker engine) can have vulnerabilities or can be misconfigured, leading to security gaps which then impact all containers running on the host.
- Audit all activities – Be sure to audit the container delivery process through the entire DevOps pipeline by monitoring Docker engine events and integrating them with SIEM tools such as SumoLogic, Splunk and ElasticSearch. By implementing the above, you should also be able to generate detailed vulnerability and configuration assessment reports to meet compliance requirements.
Containers are fast becoming a popular approach to delivering agile applications. Securing Docker containers doesn’t come without challenges. Following these best practices will help you to get even closer to the ideal of perfect security in a containerized environment.