Container auditing best practices for large-scale deployments

Look for abnormalities

In a live environment, unexpected behavior is bad. Bad, however, is relative. Sometimes it's just a corrupted container -- in which case, admins can just destroy and redeploy. But it also can be a compromised host or container. Knowing the difference defines the appropriate response.

Most auditing systems for containers will look at any file system differences, including any departures from the golden image. They will also identify changes in the data ingress and egress profiles of the container, including the data sent out, ports used and the location of the host with which the container communicates.

An occurrence of these events signals nonconformity, which suggests a system has been compromised in some way. At this point, an auditing tool isolates the container automatically to preserve it for digital forensics.

However, the ability to isolate a container automatically is an advanced concept and uses technologies such as microsegmentation. VMware NSX, which offers microsegmentation with software-defined networking, isn't a container tool exclusively, but it is an example of a technology that identifies anything nonconformant and isolates it immediately from a network.

One positive aspect of containers is that their configuration should be consistent. There should be no configuration changes during the initial boot. If you have a container on your desktop, for example, the first boot should be identical to the hundredth boot. Changes are highly undesirable and aren't associated with well-designed, enterprise-class containers. If a file changes, there is no way to ensure that the layout is as intended. Also, changes in the container build might not sit well with security software that sees changes between boots as a potential indication of unauthorized action.

Highlight access control

Container auditing best practices should also focus on access to the container environment. Just like compromised containers, poor access control can cause security and compliance issues. Role-based access control (RBAC) is key to managing who has access to what elements in the deployment.

One positive aspect of containers is that their configuration should be consistent.

For example, developers shouldn't be able to add additional resources or modify network configurations, and sys admins shouldn't deploy new Docker images into the repositories.

Docker Enterprise provides a control plane to enable RBAC monitoring and management to avoid unauthorized access. Auditors love to see access control in action -- and in reporting.

Weigh tool options

Most IT auditing and reporting tools integrate tightly with the major cloud container platforms, such as those from AWS, Google and Microsoft Azure. Make sure the tool not only supports your organization's container platform of choice, but meets its present -- and future -- needs. Prioritize multi-platform support to avoid having to change tools down the road.

Some examples of auditing and reporting tools that are at home in the container market include Twistlock, Datadog, Tenable.io and Aqua.

Each has its own range of options, but they all center on monitoring and anomaly detection. Many also support reporting related to RBAC. Before choosing one, understand the pricing model of these tools, as well as if they come as a SaaS or alternate deployment method.

Start early

Access control and anomaly detection are two prominent container auditing best practices, but there are many additional things to consider, including build management and testing in development. Make container reporting a day-one requirement to ensure intelligent protection against deviation from normal state.