What Is Docker?
Docker is a container platform that enables developers and system administrators to package an application with all of its dependencies into a standardized unit of code.
Docker containers allow enterprises to run applications as isolated processes in a wide range of environments, from hyper-scale cloud platforms to shared machines on-premises. Because of the platform’s agility, ease of use, and scalability, Docker containers have become a staple of modern cloud-native infrastructure.
How Docker works
Docker works by providing a standard platform for enterprises to run code. It packages all the required binaries, libraries, and dependencies a given app needs in a single immutable container image.
Docker container images can be created by text files known as Dockerfiles. Once the images are created, they can be instantiated as many times as needed to run workloads as Docker containers on top of a container engine (like Docker Engine or Podman). Because they are lightweight, fast, easy to instantiate, and highly scalable, containers are a better fit for many CI\CD workflows and cloud-native microservice architectures than full-blown operating systems running on virtual machines or bare-metal servers.
Docker Security Issues
According to Docker, there are four major areas enterprises should consider for Docker security reviews. They are:
- Kernel security
- Docker daemon attack surface
- Configuration challenges
- Kernel hardening features and how they impact Docker containers
In addition to those Docker security considerations, it is also important for enterprises to account for the source of their container images, the libraries and binaries a given container uses, the patching of known vulnerabilities, and account for the complexity of container configuration and communication.
With all that in mind, some of the most important Docker security issues for enterprises to consider when evaluating their security posture are:
- Insecure container images: Whether they are misconfigured or outright malicious, pulling and deploying an insecure image from a repository can instantly reduce enterprise security posture. Case in point: a scan of 4 million publicly available containers on Docker Hub found 6,000 were malicious and over half had critical vulnerabilities.
- Attack surface: The more open network ports, files, libraries, and dependencies in a container, the bigger the attack surface. Unused or unnecessary components in a container not only increase bloat, they also increase the number of potential entry points for attackers.
- Use of the privileged flag: The –privileged flag allows Docker containers to run with full privileges and bypass restrictions in the device cgroup controller. Use of this flag should be limited to a very narrow set of use cases.
- Security of the host environment: Vulnerabilities in the underlying kernel and host operating system a container engine runs on top of can leave enterprise workloads at risk. If the enterprise controls the Docker host environment, hardening and patching the host environment is a must.
- Container orchestration security: Orchestration platforms like Kubernetes (K8s) enable enterprises to effectively manage and deploy containers. As a result, K8s security is an important aspect of Docker container security.
- Container visibility: Visibility is a fundamental aspect of security. However, traditional monitoring and security scanning tooling isn’t always capable of providing granular visibility into container workloads.
Docker Security Best Practices
To limit their exposure to common Docker container security issues, there are several Docker security best practices enterprises can follow. In addition to the basics such as effective patch management and shifting security left, here are some of the most important:
- Follow the principle of least privilege: Security policies and configurations should ensure containers and users can only perform the minimum set of functions they need to do their job. From a tactical perspective, this means enterprises should take steps such as: implementing granular IAM policies, running containers in rootless mode, using minimal base container images, locking down the network layer and not exposing the Docker daemon socket, limiting or restricting the use of the –privileged flag, and using read-only filesystems whenever possible.
- Only run trusted containers: Restricting the use of containers pulled from Docker container registries to only trusted and signed (e.g. using signed tags and Docker Content Trust) images can greatly reduce enterprise exposure to vulnerable container images.
- Apply resource quotas: Resource quotas limit the amount of resources (e.g. CPU and RAM) a Docker container can consume. Configuring resource quotas can limit an attacker’s ability to consume host resources or impact other services in the event a container is compromised.
- Isolate containers as much as possible: Because containers run as processes in Linux environments, there are a variety of solutions available that allow enterprises to protect against kernel escapes and improve logical isolation between containers. For enterprises that maintain their own host environments, using solutions such as AppArmor, cgroups, Linux namespaces, or SELinux can help secure Docker environments.
- Proactively monitor and scan: Scanning and proactive monitoring end-to-end across the CI\CD pipeline enables enterprises to rapidly detect threats, identify vulnerabilities in container images, and quickly remediate issues. Tooling that provides the granular visibility enterprises need to detect security issues with Docker containers is a must for this best practice.
Docker Security With CloudGuard
To implement the best practices here and secure container workloads, enterprises need security solutions purpose-built with Docker and modern DevSecOps pipelines in mind. CloudGuard’s Container Security platform offers enterprises a full suite of tools to protect Docker containers and implement container security at scale.
For example, with CloudGuard, enterprises can leverage image security scanning to detect security issues with container images and proactively suggest remediation steps.
Additionally, with CloudGuard Container Security platform, enterprises also gain:
- Complete protection across all clouds in multi-cloud environments.
- Admission Controller to set policies and enforce the least privileged access across clusters.
- Code scans that detect embedded credentials and vulnerabilities.
- Security posture management with automatic risk assessment and generation of least privilege IAM roles.
- Real-time threat prevention and runtime protection.
- Automatic deployment of security controls for DevSecOps pipelines.
- Intrusion detection and threat intelligence.
To learn more, you can sign up for a container security demo led by a CloudGuard cloud security expert. During the demo, the cloud security professional will explore container security best practices relevant to modern cloud-native environments and how you can leverage automation to implement Docker.
To learn more about the latest container security best practices, you can also download our Guide to Container and Kubernetes Security. This detailed security guide provides evidence-based insights into the security challenges enterprises face and explores practical approaches for addressing them at scale.
Feedback