Container Security : What’s inside your docker ?

As we learn from Linux to Containers, we discover that it is not easy to maintain and leverage security and the way to deliver applications has changed dramatically.. Thus there is a pragmatic approach to solve security problems.

A comprehensive security program for microservice-based software is a need for deploying software products.

Considering the traditional approach to deploy application monolithic way, way we used to do it to have a set of developers for Application, Middler-Ware and Databases and which are secured by means of barriers like DMZ Firewall, Web Application Filter Rules and Network Access Controls. There we need to follow best practices to secure underlying platform OS. It was more language agnostics as the way to deploy applications was either binary, Java artifacts like JAR/WAR or something like python gunicorn apps. These were standalone pieces of the application.

Now things have completely changed in Cloud-native landscape, developers/SMEs can pull public images from docker hub and start developing those. We need to solve issues like are those images have official tags, also verify if those built images are secure or not.

I think we should follow four security principles i.e. Confidentiality, Integrity , Authorization and Non-Repeatability, I believe later is most important as we deploy containers as immutable and we don’t want to add more vulnerabilities to them. So start and build the containers from known good points . For example, base minimal nginx images based out of alpine linux and have the latest stable version running on it. This is the right way to write dockerfiles.

For smaller environments, we can impose security by learning. But say for example technology shops like Big Banks which uses different language stacks and more importantly, more SMEs/Architects/Devs working on it and adopting security is almost a challenge.

Elegant way to deal is to provide choice driven development and baseline images for each language stack, that’s the way to buy them into security.

As containers are being run on Docker Host ,we can secure it using standard ways to harden underlying infrastructure.

Although we have also baked in security also have minimal images built, where those images have any problems once we run them into production. There will always be issues like degraded state problems, cpu idle states. Following which we should not overlook performance concerns and add the scalability for data which is an integral part of application. For example, the way we share data for docker is using bind-mount , for Kubernetes it is through configmaps or persistent volumes. So managing or sharing data across containers also requires enforcement of security rules.

There is a common topic that how we can share application credentials to containers, sometimes people use tooling like Ansible to write docker files but it dumps the security credentials into the container. To make them secure, have secrets and configuration data shared across environments as dev/staging/prod whatever maybe.

Role Based Access Controls [RBACs] to be applied everywhere in 4 layers of software as in code , docker platforms. repository , container registry servers.

Also breaking roles of people. sysadmin/appadmin/dbadmin/ dev/qa / clusteradmin is essential the way they have access in a fashion “who can do what to what and when”. Typically create ACL along the way.

As containers become a more lucrative option, there is a sophisticated and capital way of doing things . Always have special people to secure the Container Delivery pipeline.

There are new CIS benchmarks and modelling being introduced and products will be developed around container security as there is hunger for that.

Hope this blog will help you build awareness for container security. Thank you.

DevOps , Cloud-Native