Containers, the big step in virtualization after virtual machines, have become data center favourites. They have a smaller OS footprint than VMs, helping them load and run faster. Some security improvements come with this technology, but there are still concerns.
If you manage a Docker environment, and you want to help make sure your organization or users are not mentioned in the news stories that accompany the next big breach, you should know the tools available to you for helping to secure the Docker stack, and put them to work. This post identifies the Docker security tools available (both native ones from Docker itself and third-party options) that can help to secure your Docker containers.
“Container security is a very different model than the hypervisor model,” says Ed Moyle, director of thought leadership and research for ISACA, a nonprofit association in Rolling Meadows, Ill., focused on trusted advice for information systems. “When you put regulated information like customer credit card info in a container in a multitenant cloud environment, you really have to pay more attention.”
For example, many containers demand root accesses. Moyle says, “It doesn’t have to be that way.” He considers container security in the early days, and over time companies will improve security like they did with VMs. Tools from container vendors are a good first step to increase security. “Docker [a software containerization platform] and others build security features and tools into their container engines. And tools like Snort [a network intrusion detection system] help in understanding container security.”
Docker Benchmark Security
One of the first security tools for Docker that you should check out is Docker Benchmark for Security. Docker Benchmark for Security is a simple script that is designed to test your Docker deployment to ensure that it adheres to established security best practices.
One of the things that makes Docker Benchmark for Security so useful is that the development of the best practices was based on a consensus of opinions from industry experts in a variety of different job roles. Consultants, software developers, and security and compliance experts all had a voice in establishing the best practices. You can find a full description of the best practices and the rationale behind them on the Center for Internet Security.
Anchore provides Open Source and Enterprise security solution for containerized environment. It performs analysis and policy evaluation of the containerized environment in public cloud / on-premise. You can find more information about Anchore here.
CoreOS Clair is a vulnerability scanning engine that is designed for Docker containers. This API-based scanning engine looks at each container layer, and searches for and then reports on known vulnerabilities.
CoreOS Clair has two primary use cases. First, Clair is useful for checking images that you did not create yourself. If, for example, you were to download an image from the Internet, it would be difficult to know for sure whether or not that image is safe for use. CoreOS Clair can help you make that determination. A second use case for CoreOS Clair is that it can be used to block and/or alert you to the use of insecure software.
Docker Security Scanning
Docker Security Scanning is another security vulnerability scanning tool for Docker. While it might be tempting to dismiss this tool as just another scanning engine, there are a couple of things about this tool that make it worth paying attention to.
First, Docker Security isn’t limited to only scanning Docker containers. The tool also checks for Docker installation security issues. Furthermore, the tool is able to scan both local and remote Docker installations.
The other thing that makes Docker Security Scanning worth a look is the fact that it is based around the use of plugins. These plugins make Docker Security Scanning extensible, so that functionality can be added as the tool matures. They are designed to be easy to write, so an organization could conceivably create plugins for its own purposes.
Drydock is designed to function similarly to Docker Benchmark for Security, but is intended to be more flexible in its use. Like Docker Benchmark, Drydock is a security auditing tool for Docker. The thing that makes Drydock so unique is that it allows its users to create custom audit profiles. These profiles can be used to fine-tune the auditing process by eliminating audits that are known to cause a lot of clutter within the resulting report (noise alerts). Drydock’s custom audit profiles can also be used to deactivate audit tests that do not pertain to your environment, or are known to produce false alarms.
Unlike some of the other tools that are available, Drydock makes it surprisingly easy to create custom profiles. The tool includes a built-in profile that contains all of the audit tests that will be performed. You can prevent a check from running simply by commenting out the check.
You can download Drydock on GitHub.
Twistlock is yet another security auditing tool for Docker. One thing that makes Twistlock different from some competing solutions is that it is a commercial application. There is a free Developer Edition, and a licensed Enterprise Edition.
Twistlock is designed to scan each individual layer of the container stack, and is able to use content fingerprinting techniques to identify the various components, as well as known vulnerabilities that may be associated with those components.
The Enterprise Edition of Twistlock uses machine learning to help to identify vulnerabilities. It also provides automated policy creation and enforcement capabilities. The free Developer Edition has a lot of similarities to the Enterprise Edition, but requires policies to be created manually, and relies upon community support. The Developer Edition is also limited to 10 repos and two hosts.
Aqua Container Security Platform
Aqua Container Security Platform is automated security platform for the containerized applications. It provides runtime protection, auditing, and compliance. You can find more information about Aqua Container Security Platform here.