CIS Docker Security Guidance Plus Halo Helps DevOps Shops Harden Docker Implementations

As of April 29th of this year, the Center for Internet Security (CIS) has released its Docker v1.6 Benchmark v1.0, a security guidance for industry professionals seeking to secure their Docker v1.6 implementations and solutions. A cross-vendor team including representation from Docker, the CIS, VMware, Rakuten, Cognitive Scale, and the International Securities Exchange (ISE) contributed to this guidance. Personally, it’s encouraging to see the ISE with its finance industry security requirements sign off on this benchmark.

“The CIS is a well-recognized organization in the security industry and, just like the Defense Information Systems Agency (DISA) or the NSA, they provide security guidelines for configuring and hardening various server and other computing environments,” says Amrit Williams (listed as Amrit Williams DePaulo on LinkedIn), CTO, CloudPassage, which offers Halo, a security tool that monitors systems and reports on whether and to what degree the enterprise has implemented the CIS Docker v1.6 Benchmark.

DevOps Connect:DevSecOps @ RSAC 2022

Get Hardened

Docker v1.6 offers enterprises the ability to select these native hardening and security measures, which Docker has not instituted by default out of the box so that enterprise customers can select only the configurations that they feel are appropriate for their organization. “Docker, recognizing that this was quite a challenging thing for people to do and figure out on their own because it requires not only security expertise, but pretty extensive Linux administration expertise, worked closely with the Center for Internet Security to develop the set of benchmarks, which is about 140-pages in length,” says Williams.

Since 140-pages is still a lot to wade through, CloudPassage hopes that enterprises will use its Halo solution to save even more time in accurately setting these configurations. CloudPassage offers the same facility for other benchmarks whether these come from the CIS or similar organizations.

“We ingest benchmarks like this one and automate the process of checking the enterprise’s entire environment continuously to determine how well they are aligned with these benchmarks,” says Amrit Williams. Halo alerts the enterprise as to where its configurations differ from the benchmark and provides corrective steps to remediate these deviations. Halo provides these monitoring results in under a minute, says Williams, so the enterprise can make the corrections in short order. It would take one person a year or two of Sundays to do this without this tool, according to Williams.

You Make the Final Call

CloudPassage’s Halo product does not actually make the needed changes to bring the enterprise Docker configurations up to the benchmark. That, says Williams, is due to the separation of duties that requires the enterprise security team to audit the environment while the operations team makes the changes. “Now we do automate the process of pushing those changes over to a workflow that the operational teams can use, but we don’t enforce those configuration changes ourselves,” says Williams.

The benchmark could bring professionals who don’t possess a knowledge of all the nuances of Docker security up to a level where they can leverage these Docker configurations as well as true Docker experts. If Halo lives up to its press and its users like how it works with the new CIS benchmark, then it could help to reinforce Docker adoption by even the most security conscious enterprises.

Using Halo to check systems against the CIS benchmark is as easy as checking a box in the software before running it, says Williams, with no manual intervention required.

Halo addresses east-west traffic internal to the development and operations environments, controlling the local firewall to lock it down without the enterprise security team having to manually change firewall rules to suite Docker security requirements. “We’re giving that power to the workload guys who run the workloads so they have that power, the ability to basically lock down the traffic or to extend traffic based on their (security and performance) needs,” says Williams.

In the meantime, enterprises comparing Docker to CoreOS Rocket and other container solutions for suitability based on security can test what this benchmark and Halo can do for them. If the results are pleasing, the outcome could stifle talk of Docker security shortcomings.

David Geer

David Geer’s work has appeared in ScientificAmerican, The Economist Technology Quarterly, CSO & CSOonline, FierceMarkets, TechTarget, InformationWeek, Computerworld,,, IEEE Computer Society’s Computer magazine, IEEE Distributed Systems Online, Government Security News, Laptop, Smart Computing, Technical Support, The Hosting Standard (Canada), (UK), SIGnature, Processor, and the Engineering News-Record. David served as a technician at CoreComm in Cleveland, OH prior venturing into writing.

David Geer has 24 posts and counting. See all posts by David Geer