Setting Sail with Docker
Credit to Author: Justin Foster| Date: Tue, 18 Apr 2017 12:00:18 +0000
This week thousands of people are heading to Austin, Texas for DockerCon 2017. Docker’s popularity has been explosive, with thousands of organizations using it’s platform to modernize applications, build microservices, optimize infrastructure and embrace a true DevOps practice.
Like any transformation, moving to Docker is a journey for an organization. In preparation for sailing on the high seas, it’s important to know how to secure your containers for the voyage.
As we have discussed before on Simply Security, Containers are a part of an evolution of computing. As we move along this spectrum, workloads are shrinking in size as developers increasingly embrace microservices. Virtualization offered application templates that were an entire VM, cloud introduced newer forms of building stateless servers dynamically, but containers standardize and compartmentalize the application in a highly efficient and portable way.
With the adoption of these modern environments, security too has adapted. For virtualization, we saw the first agentless approach to file and network security. With cloud, we supported auto scaling and consumption licensing. For Docker, security is evolving to provide container visibility and able to protect the Docker host and the containers it supports.
In addition to application portability, Docker introduced a standardized means of application distribution, the registry. Developers use a CI/CD pipeline to push images to the registry and from there, container orchestration tools like Docker Swarm or Kubernetes are used to deploy, manage, and scale container workloads. This separation of duties is your first step towards securing a Docker-based application environment. Developers only have the ability to push images, where operations use these images to ensure the application is highly available and serving your users. With DevOps, these roles may be in the same team, but applying the principals of least privilege is always good practice.
Next is the runtime application itself. Like anything else in the computing world, Docker-based deployments and the applications running in them, while largely instrumental in innovation, remains imperfect. These imperfections come in the form of operating system vulnerabilities, application logic flaws that introduce injection or spoofing attacks, or malicious insiders This is where applying compensation like Intrusion Prevention, File Integrity Monitoring, Log Analysis and other techniques comes in. It is very important that any solution understand how to protect both the Docker host and the containers running on it.
Docker environments mean rapid deployment and iteration. Some Docker users ship application updates over a hundred times a day! It’s important in this type of dynamic environment to choose a tool that adapts to changes and provides visibility into your Docker workloads. Furthermore, If your application has sensitive data, you may be subject to compliance standards. Choosing a security tool designed for continuous compliance will be your best path to avoiding headaches during an audit. With your containers secured, it’s only smooth sailing thereon out.
Organizations are setting sail for a container world faster than ever. These are just a few of the tips to help you with the choppy seas to ensure a safe and secure voyage with Docker.
If you are at DockerCon in Austin this week, stop by and see us at Booth S30! Our team can show you how we add layered security to the Docker host and the containers. Find out more at www.trendmicro.com/hybridcloud.
If you have questions or comments, please post them below or follow me on Twitter: @justin_foster.