Container & Docker Security

Container technology enables developers to bundle together their applications or services with their dependencies and configurations into one package. This container can then be deployed as a stand-alone container image instance on the host operating system. Unique features like this enabled developers to deploy applications and services across different devices with hardly any or no modification and hence led to the wide adoption of container technology in the IT sector.

But just like with any other popular technology, a wide adaptation of containers also attracted the attention of cybercriminals and the need for Container Security. A survey of 2020 by CNFC revealed that around 92 percent of enterprises have incorporated container technology into their infrastructure which is a huge 300 percent increase since 2016.

Containers are by nature isolated and contain all their required dependencies in a single package. Because they are isolated, they are also secure. But crafty hackers can still find ways to penetrate Container Security and gain access to sensitive information in containers.

Docker is an open-source platform as a service technology that supports the deployment of containerized applications on both cloud and on-premises. It allows the building, testing, and deployment of applications into standalone units, containers. Docker containers are very lightweight and adapt to the deployment environment without requiring application changes. Hence, organizations use them to speed up their delivery pipelines.

Containers combined with Docker, are now the market standard for packaging microservices, monolithic apps, and commercially available apps. Enterprises with Docker Container technology have the tendency to ship portable and controlled apps in an agile manner.

The wide adoption of containers has also rung the bells for security analysts to propose techniques and guidelines to protect containerized apps. Containers from Docker are shipped with Linux OS’s isolation feature by default, making them secure and allowing for configuration changes to be performed by users. This sandboxing feature surely makes containers a secure platform but just like with any other technology, docker containers also have some unique security challenges.

One of the key downsides of Docker containers is that they provide a large attack surface to cybercriminals since docker containers use several underlying images and each of them can have vulnerabilities of its own.

Another flaw is that containers share the underlying kernel architecture. In addition to host security, preventing container permissions and isolating containers between containers is also essential to a comprehensive security strategy. Additionally, traditional security tools are ineffective for monitoring container security as they are highly dynamic in nature. Some other concerns include docker file security, security misconfigurations, base image vulnerability, network ports, and user privileges.

Docker is the most widely used containerization technology and can improve base container security. Docker container security solutions should address vulnerabilities related to the base image, docker file security, vulnerabilities related to building docker images, as well as runtime aspects such as user privileges and docker daemon. Below are some guidelines for getting started with docker container security:

Container images are the base of containers and provide the necessary operating system subset for creating a container. This also means a vulnerability within the container image can lead to a security breach within the container deployed in production. In addition to the OS subset, a container image also includes the application designed to run on the container. To avoid security issues, developers should include a statically compiled binary along with its dependencies in the container image. Having said that, it is always recommended to remove unnecessary components from the application that can increase the attack surface. Furthermore, container images are mostly acquired from public repositories which may contain security issues in them. So it is always a good idea to verify the source of your container image.

No matter how strong your security defenses are, humans can be the weakest link in the security framework. A misconfigured container runtime, cluster, host, or cloud resource can lead to a serious data breach. This is why enterprises should also benchmark their security controls to ensure that they are up to par. Center for Internet Security or CIS, is a non-profit organization that offers free benchmarks for several environments. These benchmarks have become the de facto standards in the market to implement security controls. Companies can also use different automation tools that follow static configuration analysis to verify security parameters at various levels.

A Docker socket is a Unix socket that is used as a primary entry point into the Docker API located at /var/run/docker.sock. Root privileges are mandatory to access this socket. If a malicious user is able to access this socket, they can gain complete control of the host. If the running status of your Docker daemon is -H tcp://0.0.0.0:XXX or something similar, then your docker daemon is exposed to unencrypted unauthentic direct access. In other words, if the docker container is connected to a public network, it is very easy to get root access to the host. Disable TCP Daemon Docker Socket as much as possible and only enable it after implementing proper security controls.

Docker files are executed as root by default if no user is specified. However, docker file requires root privileges in very few cases. Leaving docker file to default root privileges increases the attack surface. To mitigate this problem, it is recommended to create a dedicated user and dedicated group with the least possible privileges.

The goal of docker security is to thrive forward with the latest technologies by making them secure so they can be used at their full potential. A comprehensive docker container security solution protects the docker environment across all levels. That encompasses not just contained applications and container images, but also the entire stack of components, which include building, distributing, and particularly executing the containers. A well-protected docker container is easy to integrate with other trending technologies such as DevOps.

Talk to a Cybersecurity Trusted Advisor at IRM Consulting & Advisory