The Docker ecosystem has come a long way in 2017. Especially in security, we saw new features being launched, new products entering the market, and new best practices emerge. All this point to a 2018 that’s set to build on this progress and enable running extremely secure container workloads.
Let’s look at the various aspects of Docker security to keep in mind as we move into 2018. Before you dive in, take at look at these 4 Docker security best practices by Aqua to get you started.
Image Scanning & Private Registries
Docker Hub is a game changer for infrastructure management as it enables anyone to share a container image to anyone else. While being a really powerful collaborative platform, it also comes with the risk of users spreading malicious or vulnerable container images. Since container images are the recipe for every container that’s created, it’s vital to ensure that they’re not compromised.
All container registries today come with image scanning capabilities. The one thing to be extra careful of is when downloading images from Docker Hub itself. This is because it’s the largest registry and has the highest probability of hosting compromised images.
Third-party registries like Quay or Gitlab container registry are a safer option for your organization to host its images. A private container registry is essential when running containers in production. You want to be able to control the source of your containers to ensure they’re secure enough for production.
Access & Permissions
When working as a team, it’s important to configure role-based access control (RBAC) for your container stack. RBAC is now supported by all major container platforms like Docker, Kubernetes, and the CaaS (container as a service) platforms from cloud vendors.
There are many options to manage roles for containers. The one you choose would depend on how you manage your containers. With the various container management solutions available today you could choose Docker Datacenter, or Kubernetes, or one of the CaaS tools on the market. Most vendors provide some form of RBAC, but it helps to compare them with each other to know which are the easiest to setup, most secure, and suit your organization’s needs.
When it comes to the enterprise, many organizations use Active Directory to manage access and permissions to applications across their organization. As containers gain a larger footprint in enterprises, we’ll see more robust integration with Active Directory. Azure container service has the most mature integration with Active Directory as of today, which is not surprising considering Active Directory comes from the Microsoft stable.
With the complexity in the container stack, and various management tools used, it’s essential to have a management plane that can be controlled and scaled to thousands of users. RBAC is essential to running containers in production, more so, as you deal with larger teams.
In 2017 we’ve seen numerous updates about secrets management for containers. First, there was Docker introducing their implementation of secrets management. Secrets are used to authenticate communication between apps and services in a container stack. Secrets could include information like passwords, tokens, SSH keys, TLS certificates and more. Leaving this data unencrypted in a container can be a serious security risk. Secrets management provides a way to encrypt and decrypt this information. This is a feature of Docker Swarm and is key to running secure containers in production.
Soon after, Kubernetes followed with encryption for secrets at rest. This was part of the v1.7 release. Kubernetes automatically creates and encrypts secret data, and allows for you to configure your own secrets too. The secrets are not stored directly on the node, but instead are stored in temporary storage volumes. They are automatically deleted when the pod that uses them is deleted, and are managed by the secrets API of Kubernetes. You’ll still need to take precautions like using RBAC to ensure users don’t have access to secrets unintentionally, or that secrets are not logged by applications that consume them. However, Kubernetes makes secrets management easy with automation.
Following these updates, many third party tools have followed suit and implemented simpler ways to manage secrets for containers. Azure introduced it for AKS, and Google Cloud has this feature as part of its key management service. Another interesting secrets management solution is Vault by HashiCorp. As part of the HashiCorp Suite Vault is very user-friendly, and makes for a powerful combination when used with the powerful Terraform.
Container Lifecycle Management
An overlooked, but important area for container security lies in how you manage container lifecycles. This involves creation, updating, and deletion of containers. The best option is to look at containers are immutable. This means that you don’t change or update running containers with new updates, or patches. Instead you create new images and send containers created from these new images through the security and testing process all over again, and have them replace the old container.
This means you’ll need to actively destroy containers that are running for too long, as they’ve likely drifted or changed from their original configuration. This was the norm with VMs but with containers configuration drift should become a thing of the past. It’s so easy to spin up new containers and have them replace existing ones that this shouldn’t require much consideration.
There are numerous other criteria to consider when securing containers in production. A good starting point is to evaluate your stack against the CIS Docker benchmark. It covers the most important aspects of container security.
Some container security tools like Aqua Security take these criteria into account, and proactively monitor for times when these rules are violated. Additionally, these container security tools leverage machine learning for threat detection. They are able to analyze large quantities of data both internal and external, and surface any suspicious user activity, new devices, and badly configured secrets.
As we move into 2018, security is no longer a weakness for containers. With many updates and improvements coming our way in 2017, this year is going to be all about putting these features to use and building more secure apps at scale. There are many aspects to consider with container security — container images, access and permissions, secrets, and lifecycle management - but by leveraging all these security features you can be sure that your applications are more secure than they could ever be in a legacy stack.