Linux Containers, such as LXC & Solaris zones, have existed since the mid 2000s. However, containers weren’t widely used outside of large tech companies such as Google until Docker was first released at PyCon in March 2013 followed by the replacement of LXC with libcontainer as the default execution environment in March 2014. According to the 2017 Docker Adoption survey by Datadog, containers started seeing adoption for the building of cloud native apps and microservices starting in 2014. So naturally, organizations are in various stages of Docker adoption:
- Early adopters: The organization is testing Docker and validating if they would benefit by transitioning from monolithic apps to containerized apps. This includes investigating the implications of security and compliance requirements.
- Intermediate: The organization already deploys containerized applications into production and is in the process of implementing security tools into DevOps pipelines and runtime environments.
- Advanced: A majority of apps have been transformed to containerized apps and micro-services. Most cloud workloads are running containers.
As with the introduction of any new technology, a majority of organizations fall into the “early adopter” or “intermediate” maturity categories for deploying Dockerized apps in production. In addition to development and deployment best practices, these organizations are also trying to determine how to meet the security and compliance requirements for Docker images and containers. And as the Docker security and Containers do not contain articles highlight, there are several security issues that container adopters need to solve.
As a security professional, I can say from experience that security is never perfect. You can’t do everything, so solutions to security issues need to be prioritized according to risk, cost of implementation and impact. With that in mind, if you are an early or intermediate adopter of Docker containers, be sure to focus on these five areas when formulating your security and compliance programs:
- Integrate security & compliance into the DevOps pipeline – Fixing security issues in containers post-deployment is exponentially more expensive than at build time. You should consider integrating container image scanning solutions into CI tools used by developers such as Jenkins and Atlassian Bamboo. This will help you identify issues in container images such as vulnerable packages and embedded secrets during the build process where you can choose to automatically fail the builds that don’t meet your security policy.
- Monitor & scan container images – Security starts with visibility. DevOps teams use images registries such as Docker Private Registry, Amazon ECR, and jFrog Artifactory to distribute container images. You should monitor images hosted by one or more image registries. This will help you to get visibility into the following – a) container images used across your organization, b) security issues in images, and c) mapping of images to running containers in your environments.
- Monitor containers – Visibility into containers is as critical as the images used by them. Identifying containers that are based on an unsafe image, or come from unknown sources, will ensure you’re not running vulnerable or misconfigured containers. In addition, it is important to get visibility into containers that are running in privileged mode, or those that aren’t running in read-only mode.
- Secure hosts running containers – Containers are only as secure as the host they run on. Host operating system and installed software packages (including Docker daemon) can have vulnerabilities or can be misconfigured, leading to security gaps which then impact all containers running on the host.
- Audit all activities – Be sure to audit the container through the entire DevOps pipeline by monitoring Docker events and integrating them with SIEM tools such as SumoLogic, Splunk and ElasticSearch. By implementing the above, you should also be able able to generate detailed vulnerability reports and configuration assessment reports to meet compliance requirements.
If none of the above comes as a surprise to you then stay tuned. In the coming month we’ll be discussing the top tips to secure containers for advanced adopters.