Cavirin Blog

Docker Container Security with Cavirin ARAP

If you are an enterprise IT infrastructure administrator and you don't currently live in a cave, you've been hearing a lot about “Docker” and the term "containers".

Docker Containers are Here to Stay

If current 2016 adoption trends hold, this new container infrastructure technology is expected to attain first class citizen status within enterprise computing. The thrust behind Docker’s success is about the emergence of “containers” as a compelling alternative to “virtual machines” that offers a new form of resource virtualization regardless of whether the IT infrastructure runs on public, private, or hybrid cloud. This trend has further been helped by the “DevOps” revolution that is focused on delivering business critical applications faster, better, and more frequently by the availability of many, easy to use, automation tools. The advantages offered by the “containerization” technology in shifting the discussions from “infrastructure to applications” are seen as the primary driver behind this trend, and “Docker” seemed to have arrived at the right time. While Docker is a very popular mechanism of achieving containerization, and thus increase the levels of resource utilization while simultaneously achieving the application level isolation requirements, there are other players in this segment as well with varying levels of success – LXC, CoreOS Rocket to name a few. Contrary to the conventional wisdom, large enterprises are in the forefront of the adoption of container-based computing, primarily driven by the need to bring development and operations teams closer through the DevOps process. Looking from that perspective, the container – particularly Docker – adoption is real, and ahead of schedule in most enterprises.

Containing New Risk

With the arrival of every new technology, there are always new risks. Particularly, the ease and flexibility achieved in pulling, composing, and sharing pre-built, community generated container images have brought in critical security concerns. According to a recent study, about third of all container images found in public or even private registries have some serious vulnerabilities when compared against reputable, national vulnerability databases. (Read more at Security Vulnerabilities in Docker Hub Images)  Container vendors such as Docker have begun to address such concerns with the introduction of Docker Content Trust, that allows for sharing scanned, digitally signed, and tamper-proof container images. However, this does not address the runtime behavior of images when they come to life within container hosts. Moreover, security auditors have just begun asking hard questions about container security. According to Joerg Fritsch, research director with Gartner, organizations that are covered by regulations such s HIPAA, PCI-DSS, NIST Cybersecurity Framework, and CIS Critical Security Controls (CSC 6.1) would be made aware of the potential for increased audit scrutiny while putting container images in production. In this context, we at Cavirin Systems, have taken a giant stride in supporting the security assessment of container based IT infrastructure. Always on the top of technology trends, it was only a natural evolution for our ARAP (Automatic Risk Assessment Platform) product to offer the support to scan, assess, and suggest remediation of production Docker container environments. We realize that Security hardening of production Linux containers require configuration tweaks, security actions, and set of process recommendations on a continuous basis.

Automation

Automation is the key to achieve scalability and thoroughness for container compliance, and is achieved via Cavirin's Automated Risk Analysis Platform, ARAP. We are proud to announce support for Docker Container security in ARAP 8.3.3 with capability to scan individual as well as a cluster of Docker hosts.  ARAP scans running images according to a Certified CIS Benchmark rating as published for Docker in April 2016. Currently, ARAP supports over 80 policies that cover the security configuration of the host machines, and Docker images running on those hosts.

Ease of Implementation

Setting up ARAP for a security scan of your Docker environment is very straight forward, requiring little more than a few mouse clicks from the UI or a simple API call. ARAP considers containers as yet another type of IT assets along with all other types of assets it already supports such as bare metal hosts, virtual machines, network appliances, and public/hybrid cloud elements. Through the integration of container orchestration/cluster management platforms such as Kubernetes, the discovery of the Docker container instances, running security scans becomes even more easy and automated.

For more information and to arrange for an evaluation, contact us. 

0
0
0
s2sdefault

Cavirin provides security management across physical, public, and hybrid clouds, supporting AWS, Microsoft Azure, Google Cloud Platform, VMware, KVM, and Docker.