Cyber security is no longer a luxury. If you need a reminder of that, just take a look at the seemingly endless number of stories appearing in the news lately about things like malware and security breaches.
If you manage a Docker environment, and you want to help make sure your organization or users are not mentioned in the news stories that accompany the next big breach, you should know the tools available to you for helping to secure the Docker stack, and put them to work. This post identifies the Docker security tools available (both native ones from Docker itself and third-party options) that can help to secure your Docker containers.
Managing containers requires a broad scope from application development, test, and system OS preparation, and as a result, securing containers can be a broad topic with many separate areas. Taking a layered security approach works just as well for containers as it does for any IT infrastructure.
There are many precautions that should be taken before running containers in production.* These include:
Hardening, scanning and signing images
Implementing access controls through management tools
Enable/switch settings to only use secured communication protocols
Use your own digital signatures
Securing the host, platforms and Docker by hardening, scanning and locking down versions
*Download “15 Tips for Container Security” for a more detailed explanation
But at the end of the day, containers need to run in a production environment where constant vigilance is required to keep them secure. No matter how many precautions and controls have been put in place prior to running in production, there is always the risk that a hacker may get through or a malware might try to spread from an internal network. With the breaking of applications into microservices, internal ‘east-west’ traffic increases dramatically and it becomes more difficult to monitor and secure traffic. Recent examples include the ransomware attacks which can exploit thousands of MongoDB or ElasticSearch servers, include containers, with very simple attack scripts. It’s often reported that some serious data leakage or damage also has happened from an internal malicious laptop or desktop.
What is ‘Run-Time Container Security’?
Run-time container security focuses on monitoring and securing containers running in a production environment. This includes container and host processes, system calls, and most importantly, network connections. Read more
DevOps can now efficiently and securely deploy containers for enterprise applications
As more enterprises move to a container-based application deployment model, DevOps teams are discovering the need for management and orchestration tools to automate container deployments. At the same time, production deployments of containers for business critical applications require specialized container-intelligent security tools.
To address this, Rancher Labs and NeuVector today announced that they have partnered to make container security as easy to deploy as application containers. You can now easily deploy the NeuVector container network security solution with the Rancher container management platform. The first and only container network security solution in the Rancher application catalog, the addition of NeuVector provides simple deployment of the NeuVector containers into an enterprise container environment. Read more