grandeduc - Fotolia
Security for Docker and other container platforms is a fast-changing field. It has evolved considerably in just the last several months, and it's a safe bet that new container security solutions and challenges will keep emerging as Docker marches toward conquering enterprise infrastructure.
Below, I explain the current state of container security. I also discuss why securing container stacks is challenging, and then outline the strategies and tools available to secure the various layers of a containerized software stack.
The basics of container security
The main reason why securing container stacks is challenging is that container platforms involve many moving parts that are changing constantly.
What do I mean by that? I am thinking, first, of the fact that there are multiple container platforms out there. Docker is the best-known container format, but there are also CoreOS's rkt and LXC -- to say nothing of system container frameworks, such as OpenVZ and LXD. The diversity of container platforms makes it difficult to build security tools that work well with every type of container.
Also consider that, even within a single container platform, there are multiple layers, each of which presents unique security challenges. Take a Docker stack, for instance. You have container images. You have image registries. You have individual containers. And you have the Docker daemon. To run containers securely, you need to secure each part of the stack.
A third security challenge arises from the fact that container technology is evolving so quickly. Docker issues new point releases of its platform about once every three months. Each release brings not only bug fixes, but also new features and changes to the way Docker handles tasks like networking and storage. If you're a security admin, keeping Docker secure requires you to stay on top of all of the latest updates to Docker and the potential security vulnerabilities that they introduce. The same could be said of container orchestration systems like Swarm and Kubernetes, which are also updated frequently.
Securing container stacks
So, what's a security admin to do in order to keep a containerized application secure in production? The best way to explain the current security strategies and tools available is to examine each part of the container stack individually, as follows.
Container images are the blueprints that Docker and other systems use to spin up an app inside a container. If your container images include malware, your containers will be infected, too. Fortunately, solutions are now available for securing container images.
CoreOS introduced a tool, called Clair, for this purpose several months ago. Docker followed suit shortly thereafter with Docker Security Scanning. Clair and Docker Security Scanning both allow you to examine a container image for known security vulnerabilities or contents that don't seem to match what is supposed to be inside on the basis of known binary signatures.
Scanning container images is one helpful way to find security problems inside of them. Of course, admins should keep in mind that these scanners work only at the binary level and can't detect security vulnerabilities within the application code itself. To guard against the latter threat, you should be sure to do all of the usual code checking on your app before building a container image.
Container registries are where images are stored. People who want to run a containerized app can download (or, in Docker parlance, "pull") the image they want and run it.
The big security challenge with registries is the danger that someone might modify the images they contain. For example, by breaking into the server that hosts a registry, an attacker could theoretically swap out a normal container image for an infected one. Users who download that tampered image would then end up with malicious software on their systems.
Container scanners help mitigate this threat. Docker Security Scanning and Clair are designed to work at the registry level, allowing you to scan all of the images in a registry automatically and to prevent tampering.
Of course, all of the normal precautions should also be taken to harden the servers that host registries against attack. Currently, the most popular public container registries, like Docker Hub and Quay, are hosted services, meaning that the task of protecting the servers against attack is in the hands of whichever company provides the services to them. But it's also possible to set up private container registries using a Docker registry server or CoreOS Enterprise Registry. In that case, the enterprise running the registry has to keep the host server secure.
Securing container stacks while they are running is a challenge for which sophisticated tools do not yet exist. However, one effective way to help keep containers secure is to collect real-time data about the container environment and then analyze it to identify security vulnerabilities.
To do that, you first need a tool that can collect monitoring data about containers. CAdvisor is probably the best open source solution for this task, but there are commercial container monitors, too, including Microsoft's recently announced technology preview of OMS Docker Container monitoring. There is also the Docker stats command, which provides very basic status information about containers, although I would not recommend relying on it for security purposes.
Once you have a monitoring system in place, you can feed the monitoring data into a data analytics platform, such as Splunk or Sumo Logic, to analyze it for signs of security issues. By collecting large amounts of data and analyzing it in real time, skilled admins can help establish a baseline for normal activity within their container environment, then identify out of the ordinary events which could signal attempted intrusions.
This approach is not perfect. Existing Docker monitoring and data analytics tools were not designed for the specific purpose of securing container stacks. However, this strategy is better than nothing.
The final major piece of the container stack is the container daemon. The daemon is the process that runs on the host server to support the management of containers. Tampering with the container daemon is one way to gain unauthorized control over the container environment and potentially wreak all manner of havoc.
Most container daemons run on Linux or other Unix-like systems. (Docker now supports Windows and OS X, but it actually runs on top of a Linux virtual machine in those environments, so it is still Linux based.) As a result, all of the standard rules about securing Unix processes apply.
Make sure that users and groups on the system that should not be able to control the daemon do not have access to it. If you expose the daemon to the network, encrypt data transfers with a Secure Sockets Layer. Use a security system, like SELinux, to harden your environment against attack.
Docker (which currently requires the Docker daemon to run as its root, although Docker developers say they hope to change that eventually) goes so far as to recommend creating a dedicated server to host the Docker daemon, with only a minimal set of administration tools installed, in order to minimize the risk of attack against the daemon.
Container security is a huge challenge that is still in need of good solutions. While the emergence of new tools like Clair and Docker Security Scanning in recent months has helped plug some of the potential security holes in the container stack, there remains a great deal of room for innovation in this area.
However, enterprises wishing to start using containers now do not have to wait for better security tools to arrive. By leveraging the strategies described above, they can make their container stacks reasonably secure -- which is the best that anyone could really ever hope for, since total security is impossible.
Secure Docker updates for IT pros
How to secure Docker on Windows or Linux
Best practices for container security