Free Trial

Docker Security, A Product Manager's View

Docker is a framework making it easy to create, deploy, run, and orchestrate applications by using containers. Basically, a container is another form of virtualization. A minimal image contains functionality of an operating system, but depends on the host for all of its system calls. For a complete overview tutorial on Docker and for Docker security, we recommended more reading from the Docker Inc. site.

 

Docker provides a way to run applications securely isolated in a container, packaged with all its dependencies and libraries. Because your application can always be run with the environment it expects right in the build image, testing and deployment is simpler than ever, as your build will be fully portable and ready to run as designed in any environment. And because containers are lightweight and run without the extra load of a hypervisor, you can run many applications that all rely on different libraries and environments on a single kernel, each one never interfering with the other. This allows you to get more out of your hardware by shifting the “unit of scale” for your application from a virtual or physical machine, to a container instance.

Containers helps organizations to pack applications into images (or builds) and deploy them on any host running a Docker daemon. However, Docker security is not a simple task as the system has three separate elements: The Docker Host, Docker daemon, and the image running as a container.

Docker Container Security

Docker Security Has Pros and Cons

  • Docker narrows the exposure surface as such - PRO
  • Popular Docker images have many Vulnerabilities - CON
  • All containers are in the same boat (kernel exploit) - CON
  • Security at best is as good as the host security - CON or PRO (with Cavirin)
  • Access Control traditionally too wide- CON or PRO (with Cavirin)
  • Isolation between containers – East – West attacks- CON or PRO (with Cavirin)
  • Isolation of host – cgroups, name spaces- CON or PRO (with Cavirin)
  • Security must be integrated into cluster management- CON or PRO (with Cavirin)
  • Security must be automated- PRO (with Cavirin)

There are many security concerns related to Docker. If the attacker is able to gain root access to Docker host, the user will have access to all containers running on that host. As well, gaining root privileges in the container gives attacker ability to attack the host. As the container is making tens of system calls to the host it may be able to exploit the host. A malicious container can attack to other containers running on the same host. One malicious container can exhaust resources from the host and all the other containers. If containers hold secrets to access resources like DB, an attacker may compromise those secrets. Images which are pulled from public registries may be polluted and can lead to situations described above.

What to worry about

  • Kernel exploits
  • Compromising secrets
  • Polluted images
  • Denial-of-service attacks
  • Container breakouts

OS in Docker ContainersRisk and compliance refers to the internal and external processes which an organization must implement. An organization must identify the requirements with which it executes. For example, if the organization operates in in health care industry, its processes and information systems must comply with HIPAA. Companies which handle credit card information must be compliant with PCI DSS.

In order to be compliant, all the parts of the information system need to comply with the guideline. This means that not only the host of the Docker daemon need to be compliant but also all the containers running on the host. Cavirin has long experience and excellent coverage enforcing and measuring compliance for Linux hosts. This is leveraged on containers as the same standards, guidelines, and benchmarks apply to them. The same holds for known vulnerabilities.

Cavirin’s ARAP has various ways to check risk, security, and compliance of a container based application. The risk and compliance of the Docker host can be scanned against industry standards like HIPAA, PCI, SOC2, NIST, and many others. The risk and security of a host, Docker engine, and container can be checked against Docker Benchmark by Center for Internet Security (CIS). Cavirin’s implementation is certified by CIS.

Cavirin Docker Security Offering

  • CIS Docker Benchmark
  • Patches and Vulnerabilities for Docker hosts
  • Host compliance (HIPAA, PCI, SOC2, NIST, DISA, ISO 27002:2013)
  • Vulnerabilities for Docker images
  • Container compliance
  • Coverage on container hosts support Ubuntu 14.04, RHEL7, CentOS7, Windows 
  • Cluster manager integration (Kubernetes, Swarm, Mesos, Rancher)
  • Continuous container security process

Docker is an important technology to create, compose, and manage dynamic applications in cloud and hybrid environments. Cavirin is helping its customers to run Docker based applications in safer and risk aware manner. 

 

0
0
0
s2sdefault

© 2018 Cavirin Systems, Inc. All rights reserved.