This post was originally published here by alok ojha.
Linux Containers, such as LXC & Solaris zones, have existed since the mid 2000s. However, containers werenāt widely used outside of large tech companies such as Google until Docker was first released atĀ PyCon in March 2013Ā followed by the replacement of LXC with libcontainer as the default execution environment inĀ March 2014. According to theĀ 2017 Docker Adoption surveyĀ by Datadog, containers started seeing adoption for the building of cloud native apps and microservices starting in 2014. So naturally, organizations are in various stages of Docker adoption:
- Early adopters:Ā The organization is testing Docker and validating if they would benefit by transitioning from monolithic apps to containerized apps. This includes investigating the implications of security and compliance requirements.
- Intermediate:Ā The organization already deploys containerized applications into production and is in the process of implementing security tools into DevOps pipelines and runtime environments.
- Advanced:Ā A majority of apps have been transformed to containerized apps and micro-services. Most cloud workloads are running containers.
As with theĀ introduction of any new technology, a majority of organizations fall into the āearly adopterā or āintermediateā maturity categories for deploying Dockerized apps in production. In addition to development and deployment best practices, these organizations are also trying to determine how to meet the security and compliance requirements for Docker images and containers. And as theĀ Docker securityĀ andĀ Containers do not containĀ articles highlight, there are several security issues that container adopters need to solve.
As a security professional, I can say from experience that security is never perfect. You canāt do everything, so solutions to security issues need to be prioritized according to risk, cost of implementation and impact. With that in mind, if you are an early or intermediate adopter of Docker containers, be sure to focus on these five areas when formulating your security and compliance programs:
- Integrate security & compliance into the DevOps pipelineĀ ā Fixing security issues in containers post-deployment is exponentially more expensive than at build time. You should consider integrating container image scanning solutions into CI tools used by developers such as Jenkins and Atlassian Bamboo. This will help you identify issues in container images such as vulnerable packages and embedded secrets during the build process where you can choose to automatically fail the builds that donāt meet your security policy.
- Monitor & scan container imagesĀ ā Security starts with visibility. DevOps teams use images registries such as Docker Private Registry, Amazon ECR, and jFrog Artifactory to distribute container images. You should monitor images hosted by one or more image registries. This will help you to get visibility into the following ā a) container images used across your organization, b) security issues in images, and c) mapping of images to running containers in your environments.
- Monitor containersĀ ā Visibility into containers is as critical as the images used by them. Identifying containers that are based on an unsafe image, or come from unknown sources, will ensure youāre not running vulnerable or misconfigured containers. In addition, it is important to get visibility into containers that are running in privileged mode, or those that arenāt running in read-only mode.
- Secure hosts running containersĀ ā Containers are only as secure as the host they run on. Host operating system and installed software packages (including Docker daemon) can have vulnerabilities or can be misconfigured, leading to security gaps which then impact all containers running on the host.
- Audit all activitiesĀ ā Be sure to audit the container through the entire DevOps pipeline by monitoring Docker events and integrating them with SIEM tools such as SumoLogic, Splunk and ElasticSearch. By implementing the above, you should also be able able to generate detailed vulnerability reports and configuration assessment reports to meet compliance requirements.
If none of the above comes as a surprise to you then stay tuned. In the coming month weāll be discussing the top tips to secure containers for advanced adopters.
Photo:Corporate Compliance Insights
