Docker® has many moving parts, and securing it is more complex than securing older deployment technologies. It requires a holistic approach - from network and application firewalls, to container runtime defense, to host protection.
Docker container security
Securing a Docker container is no different than securing other containers. It requires an all-inclusive approach, securing everywhere from the host to the network and everything in between. Because of their moving parts, ensuring the security of containers is difficult for many organizations, and it requires more than rudimentary level of vigilance.
Things to consider
Here are some things to consider when securing your Docker containers:
Utilize resource quotas
Utilizing resource quotas gives you the ability to limit the intake of memory and CPU to a container. Configuring resource quotas on each container not only helps to increase the efficiency of the environment, but it can also prevent an imbalance of resources across all the containers in your environment.
This will allow your containers to perform at the speed you expect and, most importantly, enhance security. If one container were to become infected with malicious content, it would not be able to let in a huge amount of resources in the container, as the quota would cut it off—minimizing the attacks impact. This is a simple security tactic to take advantage of and can be done using command-line flags.
Docker containers are not to be run as root
When building an application, it is best practices to adhere to the principle of least privilege. This means limiting the application’s access to only the resources required to function. This is one of the top ways to protect your containers from unexpected access.
When it comes to the security of your Docker containers, this is very crucial and why Docker default settings are not set to run containers as root. For example, if your containerized application is vulnerable to an exploit, and you are running with the root user, it expands the attack surface and creates a simple path for attackers to gain privileged escalation.
Ensure the security of your Docker container registries
Container registries, in particular those in Docker containers, are what make containers such a strong platform. With registries, you can create a central repository of images that are easily and quickly downloadable. Nevertheless, in all their glory, they do come with a lot of security risks if you do not utilize a trusted registry that you’ve conducted thorough research on, such as Docker Trusted Registry. With the Docker registry, you install it behind the firewall already implemented in your IT infrastructure to alleviate the risks internet poses, but even then, you should still deny users to upload or download from the registry.
While it can be very tempting to avoid all this work and give open access, this little inconvenience could prevent a large breach in the registry. A helpful tactic to resolve this temptation it to implement role-based access control, giving you the ability to control exactly who can access what, in terms of the registries.
Use a trusted source
Now that you have the container registry secured, you don’t want to infect it with container images obtained from an untrusted source. It may seem convenient to simply download container images readily available to the public at the click of the mouse; however, it is extremely important to ensure the source of the download is trusted or verified.
In the interest of caution and security, it is truly best to avoid public container registries and stick to ones that Docker offers, such as Docker Hub. To take the extra step in securing your Docker containers, you should utilize image scanning tools to bring vulnerabilities in Docker images to light and secure it.
Go to the source of the code
As discussed above, it is important to source reliable and trusted container images for your Docker containers. However, it is also good practice to investigate the code within the image to ensure it does not contain infected code—even if that image came from a trusted registry. Docker images have a combination of original code and packages from outside sources, which may not be derived from trusted sources.
In this scenario, it is best to make use of source code analysis tools. Once you have your images, you can scan the packages to determine where the code came from by downloading the sources of all packages within the Docker images. This will allow you to reveal if any of the images have known security vulnerabilities, keeping you secure from the first build.
Design APIs and networks with security in mind
In order for Docker containers to communicate with one another, they utilize application programming interfaces (APIs) and networks. That communication is essential for containers to run properly, but it requires proper security and monitoring. Even though APIs and the network are not actually part of the Docker container but resources you use along with Docker, they still present a risk to the security of the container. With that in mind, in order to have the ability to quickly stop an intrusion, you need to design your APIs and network for easy monitoring, and with security in mind.
Wrapping it up
Securing your Docker containers is no picnic, but the payoff is well worth the work. It takes a holistic approach and hardening the container environment at every level. And while the above best practices seem like a lot, they will save you an immense amount of time in the future and alleviate you from major security risks.
Related Research
Related Articles