Best Docker Security Practices
Greetings from London at Cloud Expo!
I was thrilled to attend and be one of the speakers at Cloud Expo London 2016. My talk was about the security of containers and you may find it here.
I tried to do a parallel between last architectural evolutions, such as virtualization and cloud, and its security implications. We have new issues brought by the new technology and we need to adapt our security operations to cope with it.
Here they are, the 10 tips categorized on 3 phases:
A. UNDERSTAND and PLAN your docker security
1. Audit Regularly your infrastructure, test like you test your code
2. Keep it simple… (KISS) -> containers are a good step to simplify
3. Understand and test attack surface of each technology
B. TEST and CORRECT: Operations
4. Run trusted (=tested) containers
5. Automate everything to avoid manual errors and cost reduction, use APIs, no agents
6. Perform often vulnerability assessment
7. Use tools that cope with bare metal, virtual, cloud and containers (legacy in not going to disappear)
8. Patch and Remediate rapidly or replace containers with updated versions
C. REPORT and SHOW
9. Monitor KPIs and risk, not logs and vulnerabilities -> actionable data
10. Keep C-level informed, your budget depends on that for the next new technology
And if you want to further information on the subject, please look at Elastic Security blog post, that dives on an implementation of these best practices:
Always glad to open the discussion about it, please leave a comment.
Sergio Loureiro is one of the co-authors of the Security Guidance for Cloud Computing done by the CSA in December 2009 (V2.1). The CSA is working with the ISO towards standards on the cloud security domain.