Over a million developers have joined DZone.

Considerations for Container Security

DZone's Guide to

Considerations for Container Security

Since containers are all the rage these days, it's important to know how to keep containers, the images in those containers, and the host running those containers, secure.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Containers are exploding in popularity because they're fast and efficient. While security is just as important as it is for virtual machines, securing containers requires a different approach. Because containers run on a shared host and typically use multiple components to deliver a complete solution, there are many considerations that are required to secure a container environment.

There are three distinct layers in a container implementation that need to be secured:

  • Images.
  • The containers that contain those images.
  • The host that's running those containers.

Securing the containers and images without securing the host is like building a strong house on quicksand. Securing the host without properly securing the containers is like building a house on rock, but leaving all the doors open with a big sign out front that says, "Please rob me, thank you."

As part of the three distinct levels of a container security implementation, there are five security controls you should use for implementing a complete container security solution.

Content Security

The threat of privilege escalation through an attacker gaining access to even the least important containerized image is too great to leave to chance, so it's key to ensure each and every image is free from vulnerabilities. It makes sense to run security assessments on images as part of your build process, along with continuous monitoring of images in your private registries.

Hardened Configuration

Containers should always (and only) be deployed with a hardened configuration. You will want to ensure that all components are run using best practices with no privileged mode or SSH access.

Content Trust

Every container must be signed and authenticated and checks need to put into place that ensure they are verified before they are used. Typically, these checks can be integrated into Docker Content Trust.

Secrets Management

All the images have their own secrets, passwords, and keys that allow them to be authenticated whenever a container is brought up or down. These secrets should never need to be part of the deployment process and not be directly embedded in the images to ensure full content trust as described above.

Host Security

The host is the most obvious point that needs security since an attacker, via this point, could easily gain access to everything. As the host is a traditional OS, usually Linux, this is something we've long been able to secure.

At this time, no commercially available container security product supports all three levels of container implementation or the five specific security controls mentioned above. CloudPassage's Project Azul, now in beta, is designed specifically to support this.

Containers are fast becoming a popular approach to delivering agile applications. Securing containers doesn't come without challenges. Following these best practices ensures that your container implementation is secure.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

security ,container security ,cloud security ,data security

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}