Container technology, especially Docker, continues to make its way into the enterprise. Just as they would be for any other technology, IT pros are tasked with building a strategy for securing Docker containers.
There are a few Docker security vulnerabilities to note. First, running containers and applications with Docker means running the Docker daemon, which requires root privileges. But, this means you're giving those processes the keys to the kingdom -- and this is just one example of how containers can alarm an IT security professional.
Other concerns include container flexibility, which makes it simple to execute multiple instances of containers. Many of these containers can be at different security patch levels. Moreover, while often compared to virtualization, Docker is not as good at segregation; the containers are largely isolated. IT pros new to containers don't always have a good understanding of container development and production. As a result, those who manage and secure containerized applications need to learn those skills quickly.
Container security models are similar to those of other distributed systems, but the best practices and tools are new. For example, encryption, identity management and role-based security work fine with containers, but there are new tools and systems that play an important role in securing Docker.
Tools and best practices for securing Docker containers
Docker Content Trust (DCT), a new feature from Docker, can help IT pros ensure Docker security. DCT uses a public key infrastructure (PKI) approach, and has two distinct keys: an offline (root) key and a tagging (per-repository) key that are created and stored client-side the first time a publisher pushes an image.
This takes care of the biggest vulnerability, which is using malicious containers. DCT also generates a timestamp key that protects against replay attacks, which means running signed, but expired, content. This solves the problem mentioned above about containers having different security patch levels.
To address concerns around container security, many companies, including Docker, have released security benchmarks for Docker. This set of standards offers guidelines for securing Docker containers. The 118-page document includes 84 best practices for deploying Docker containers, along with a checklist that summarizes them all.
So, what if you're charged with securing Docker containers and don't know where to start? Here are a few suggestions:
- Read the Docker security benchmark documentation mentioned above. Focus on how the suggestions and best practices relate to how you've deployed your container-based applications. This is really the best bang for your buck, considering most Docker security issues come from bad design.
- Consider your specific security requirements. This will drive your selection of tools and approaches. Many enterprises that move to containers either under- or over-secure their container-based applications.
- Test as much as you can. Containers are new, so we need to figure out what works and what doesn't, and the only way to do that is through security-related tests, such as penetration testing.
Container security will likely evolve as virtualization security did. While security was a concern with the first VM deployments, years of good security practices, architectures and tools have proven effective. The same should go for securing Docker containers.
Three application types that are ideal for Docker
Tools and best practices for container orchestration
How Docker containers fit into cloud computing
What's driving Docker's success in the enterprise?
How Docker achieved container success
Securing Docker in major OSes