2022 Gartner® Magic Quadrant™ SIEM
Get the reportMore
Security was once the bane of Docker containers. As recently as 2014, bloggers were writing things like "using containers for security isolation is not a good idea" and that Docker is not safe "in absolute terms."
Fast forward to 2016, however, and a lot has changed. Thanks to new features from Docker itself, as well as the introduction of crucial security tools elsewhere in the container ecosystem, it has become much easier to secure Docker containers.
Here, I'll take a look at common container security challenges, and the tools and strategies you can use to solve or mitigate them.
Learn how containers enable DevOps teams build, run and secure their Dockerized applications.
Let's start by going over the security issues that containers pose. This is important because security threats on containers fall into several different categories.
They include, first, the risk of privilege escalation via containers. For example, if an attacker can get root inside a containerized app, that could become a stepping stone to gaining root access to the host system.
Another security threat is an attack originating from one container that compromises data or resources used by a different container. This could potentially happen even without getting root access.
Similarly, you could face simple DoS attacks where one container seizes control of all available system resources in order to stop other containers from operating properly.
Last but certainly not least is the risk of insecure or unvalidated app images. Part of the magic of containers is how quickly and easily they let you spin up apps based on images that you pull from a repository. If you're downloading from a public repository, however, there is a risk that you'll get an image containing malicious code, or that someone has tampered with the repo's authentication mechanism to insert a malicious image in the place of what appears to be a validated, signed image.
Some of these threats are par for the course in any type of computing environment. Security validation is always an issue with a public code repository, for instance.
But with Docker containers, the threats are amplified in certain respects. For instance, the privilege escalation issue would not be as serious if you were using a traditional hypervisor, like KVM or Hyper-V. There, the virtual environment would be strictly abstracted from the host system.
But with Docker, a process running inside a container has the same namespace as one on the host system by default. That makes it much easier for someone who gains root inside a container to get root on the host system. With traditional virtualization, in contrast, getting root access on a guest won't do much to help you become root on the host.
Repository validation and image signing also arguably represent special threats in the container world. That's because it has become common for admins to pull images from public repositories maintained by people they don't know. This is a cultural issue more than a technical one. But it's also a problem that isn't as serious within the context of public repos used for other purposes, like installing packages on a Linux system. There, admins tend to stick to the "official" repositories and packages delivered by the maintainers of their distribution.
All of the above is to say that security is a serious concern when it comes to containers, and that there are some unique challenges in this area. Fortunately, however, there are also some unique solutions that make it easy to address these concerns. Here are 6 ways you can secure Docker containers.
Container security remains a challenge. But it's no longer an issue that can't be solved without the same basic level of vigilance as that demanded by any other type of security challenge in a modern computing environment. So, with the assistance of the tools above, go forth and secure your containers!
Monitoring the events and output from Docker containers can also provide useful information. As Michael Floyd, Sumo Logic's Head of Developer Programs explains in this blog, "Sumo Logic delivers a comprehensive strategy for monitoring your Docker infrastructure with a native collection source for events, stats, configurations and logs, and provides views into things like container performance for CPU, memory, and the network." With the Sumo Logic App for Docker, there’s no need to parse different log formats, or manage logging dependencies between containers. Analytics like this can be useful in validating container resources. In addition, Sumo Logic’s advanced machine-learning and analytics capabilities can enable you to analyze, troubleshoot, and perform root cause analysis of issues surfacing from distributed container-based applications and Docker containers themselves.
Editor's Note: Docker Security - 6 Ways to Secure Your Docker Containers is published by the Sumo Logic DevOps Community. Also, be sure to check out the Sumo Logic Open Source page for free tools and code that will enable you to monitor and troubleshoot applications from code to production.
Reduce downtime and move from reactive to proactive monitoring.
Build, run, and secure modern applications and cloud infrastructures.Start free trial