Posts

5 Docker Security Best Practices to Avoid Breaches

Docker has had a major impact on the world of IT over the last five years, and its popularity continues to surge. Since its release in 2013, 3.5 million apps have been “Dockerized” and 37 billion Docker containers have been downloaded. Enterprises and individual users have been implementing Docker containers in a variety of use-cases to deploy applications in a fast, efficient, and scalable manner.

There are a number of compelling benefits for organizations that adopt Docker, but like with any technology, there are security concerns as well. For example, the recently discovered runc container breakout vulnerability (CVE-2019-5736) could allow malicious containers to compromise a host machine. What this means is organizations that adopt Docker need to be sure to do so in a way that takes security into account. In this piece, we’ll provide an overview of the benefits of Docker and then dive into 5 Docker security best practices to help keep your infrastructure and applications secure.

Benefits of Docker

Many new to the world of containerization and Docker are often confused about what makes containers different from running virtual machines on top of a hypervisor. After all, both are ways of running multiple logically isolated apps on the same hardware.

Why then would anyone bother with containerization if virtual machines are available? Why are so many DevOps teams such big proponents of Docker? Simply put, containers are more lightweight, scalable, and a better fit for many use cases related to automation and application delivery. This is because containers abstract away the need for an underlying hypervisor and can run on a single operating system.

Using web apps as an example, let’s review the differences.

In a typical hypervisor/virtual machine configuration you have bare metal hardware, the hypervisor (e.g. VMware ESXi), the guest operating system (e.g. Ubuntu), the binaries and libraries required to run an application, and then the application itself. Generally, another set of binaries and libraries for a different app would require a new guest operating system.

With containerization you have bare metal hardware, an operating system, the container engine, the binaries and libraries required to run an application, and the application itself. You can then stack more containers running different binaries and libraries on the same operating system, significantly reducing overhead and increasing efficiency and portability.

When coupled with orchestration tools like Kubernetes or Docker Swarm, the benefits of Docker are magnified even further.

Docker Security Best Practices

With an understanding of the benefits of Docker, let’s move on to 5 Docker security best practices that can help you address your Docker security concerns and keep your network infrastructure secure.

#1 Secure the Docker host

As any infosec professional will tell you, truly robust security must be holistic. With Docker containers, that means not only securing the containers themselves, but also the host machines that run them. Containers on a given host all share that host’s kernel. If an attacker is able to compromise the host, all your containers are at risk. This means that using secure, up to date operating systems and kernel versions is vitally important. Ensure that your patch and update processes are well defined and audit systems for outdated operating system and kernel versions regularly.

#2 Only use trusted Docker images

It’s a common practice to download and leverage Docker images from Docker Hub. Doing so provides DevOps teams an easy way to get a container for a given purpose up and running quickly. Why reinvent the wheel?

However, not all Docker images are created equal and a malicious user could create an image that includes backdoors and malware to compromise your network. This isn’t just a theoretical possibility either. Last year it was reported by Ars Technica that a single Docker Hub account posted 17 images that included a backdoor. These backdoored images were downloaded 5 million times. To help avoid falling victim to a similar attack, only use trusted Docker images. It’s good practice to use images that are “Docker Certified” whenever possible or use images from a reputable “Verified Publisher”.

#3 Don’t run Docker containers using –privileged or –cap-add

If you’re familiar with why you should NOT “sudo” every Linux command you run, this tip will make intuitive sense. The –privileged flag gives your container full capabilities. This includes access to kernel capabilities that could be dangerous, so only use this flag to run your containers if you have a very specific reason to do so.

Similarly, you can use the –cap-add switch to grant specific capabilities that aren’t granted to containers by default. Following the principle of least privilege, you should only use –cap-add if there is a well-defined reason to do so.

#4 Use Docker Volumes for your data

By storing data (e.g. database files & logs) in Docker Volumes as opposed to within a container, you help enhance data security and help ensure your data persists even if the container is removed. Additionally, volumes can enable secure data sharing between multiple containers, and contents can be encrypted for secure storage at 3rd party locations (e.g. a co-location data center or cloud service provider).

#5 Maintain Docker Network Security

As container usage grows, teams develop a larger and more complex network of Docker containers within Kubernetes clusters. Analyzing and auditing traffic flows as these networks grow becomes more complex. Finding a balance between security and performance in these instances can be a difficult balancing act. If security policies are too strict, the inherent advantages of agility, speed, and scalability offered by containers is hamstrung. If they are too lax, breaches can go undetected and an entire network could be compromised.

Process-level visibility, tracking network flows between containers, and effectively implementing micro-segmentation are all important parts of Docker network security. Doing so requires tools and platforms that can help integrate with Docker and implement security without stifling the benefits of containerization. This is where Guardicore Centra can assist.

How Guardicore Centra helps enhance Docker Network Security

The Centra security platform takes a holistic approach to network security that includes integration with containers. Centra is able to provide visibility into individual containers, track network flows and process information, and implement micro-segmentation for any size deployment of Docker & Kubernetes.

For example, with Centra, you can create scalable segmentation policies that take into account both pod to pod traffic flows and bare metal or virtual machine to flows without negatively impacting performance. Additionally, Centra can help DevSecOps teams implement and demonstrate the monitoring and segmentation required for compliance to standards such as PCI-DSS 3.2. For more on how Guardicore Centra can help enable Docker network security, check out the Container Security Use Case page.

Interested in learning more?

There are a variety of Docker security issues you’ll need to be prepared to address if you want to securely leverage containers within your network. By following the 5 Docker security best practices we reviewed here, you’ll be off to a great start. If you’re interested in learning more about Docker network security, check out our How to Leverage Micro-Segmentation for Container Security webinar. If you’d like to discuss Docker security with a team of experts that understand Docker security requires a holistic approach that leverages a variety of tools and techniques, contact us today!

GuardiCore Expands Support for Docker Open Platform

Process-Level Visibility Between Containers Delivers More Granular Application Security Monitoring and Troubleshooting for “Dockerized” Applications

DockerCon Europe 2015, Barcelona, Spain – GuardiCore, a leader in internal data center security, today announced that it has expanded support for the Docker open platform for building, shipping and running distributed applications. In addition to providing advanced breach detection and response for “Dockerized” applications, GuardiCore has extended its support for Docker environments to deliver process-level visibility between any two containers, allowing security and devops teams to effectively secure, monitor, maintain and troubleshoot applications in a very granular manner. GuardiCore will be demonstrating its Docker support at Dockercon in the New Innovators Showcase. Read more