SlideShare a Scribd company logo

Docker Containers Security

Stephane Woillez
Stephane Woillez

This document discusses security considerations for Docker containers. It covers three main aspects: securing the platform/infrastructure by hardening the Docker engine and hosts; securing container content through image management, content trust, and secrets management; and securing access and operations through authentication, authorization, access control, auditing, and multi-tenancy. While containers provide isolation and security benefits, the document emphasizes that containers must still follow security best practices to prevent compromise, especially as container usage evolves from individual services to larger applications.

1 of 23
Downloaded 28 times
Security in the Container World Stéphane Woillez Technical Lead South Europe Docker Inc.
From basic security to end to end secured operations…. • Different aspects of containers security • Container ARE secure • There are containers and containers • Secure the infrastructure • Secure the content • Secure the access Containers are Polymorphic entities that require a combined security approach 2
The security of Docker environments covers 3 aspects + + Secure Platform Secure Content Secure Access Strong isolation and secure by default Authentication, authorization and access control Content integrity and trust • Does not hinder speed or creativity • Accelerate secure development For Developers For IT ops • Flexible and granular controls • Proactive risk management A secure platform, running secured content, managed with security constraints
Containers Security Basics Containers are secure Understand containers to know how to secure them
State of the union : Containers are secure ! • Isolation of containers with NameSpaces • Resource Usage Limits with CGroups • Admin rights control with LibCap • Kernel protection with AppArmor, SELinux or Seccomp • Prevent Compromising with immutable image layers • Limit attack surface with Images built best practices Readonly Readonly Readonly Install only the required libraries in images Even the more secured environment, if poorly managed, can be compromised 5
Containers are polymorphic entities (micro)Service Container Virtual Machine Container The container hosts a few number of processes It executes a single task, in general a simple one It is one element of a larger application The container runs a large number of processes It executes a complex activity It is a whole application
Different behaviors need different management approaches Type of Container Service Virtual Machine Content Few processes A whole application Size Few mega bytes Hundreds of mega bytes, even giga bytes Lifespan Short, sometimes a few milliseconds Days / Weeks / Months Patchs Never On a regular basis (by stop/start) Storage None Regular (via volumes) Monitoring Service availability (not the container) Regular Access Never Regular for control, debug… Backup Never Application Data Security BEFORE execution Regular via Antimalware & Intrusion Detection
Secure the infrastructure Security of the engine What about intrusion detection ?
Security of the Engine • Install & configure kernel protection using AppArmor, SELinux or Seccomp • Prevent root access to clusters, to ensure no one can disable protection • Limit the installed packages on host to reduce risk • Use a tool like DockerBench for Security to assess and fix the configuration of hosts • On clusters, configure certificates rotation for TLS sessions Configure, control, and test… 9
Detection of intrusions and abnormal activities • Very early stage. Attacks adapted to containers still to be developed. Risk low for Micro Services Apps • The security approach depends on the type of containers managed • For « Virtual Machines » containers o Well, everything works like in VMs o Host based Intrusion detection o Anti malware • For « Services » containers o Containers may live for only milliseconds o Vulnerability assessment BEFORE execution What the hell are you doing inside my Docker cluster ? 10
What Docker brings to secure the infrastructure • Cryptographic node identity • Out of the box TLS • Integrated Seamless PKI • Automatic certificates rotation • External CA integration • Integration with 3rd party vendors Manager Node Certificate Authority TLS Manager Node Certificate Authority TLS Manager Node Certificate Authority TLS Worker TLS Worker TLS Worker TLS
Secure the content Docker image management Content trust Secrets Management
Image Management • Hub Images or my private images ? o Allow developers to use hub images locally o Deny uncontrolled images on clusters • Build your own base images o Tar the content of a chroot dir and use “scratch” o Look for examples in the Docker Hub • Reduce the size of images layers using multi stage builds • Tagging o LATEST is your enemy in production o Favor major versions, update using minors o Some use extra tags like DEV,INTEGRATION... FROM scratch ADD <chroot_dir or tar file> / CMD ["/bin/bash"] Docker HUB Trusted Registry Image quality is key to many aspects of Docker : security, efficiency, shareability… 13
Content trust : Run only trusted images • Clusters should only run trusted images • Images should pass security validation before been granted for production • Digital signing of images ensure trust. Engines do not create containers from unsigned images • Sophisticated signing policies can be used for different purposes : o Implement a validation chain o Ensure all security tests have been applied o Involve the responsibility of image providers Don’t open the Pandora’s box, unless you know exactly what it contains 14
• Management – Separation between the application and the secrets it handles – Exposed to a container at execution time • Authorization – Not all admins should access secrets • Delivery – Encryption at every step of the process – Protection from unauthorized access • Auditing – Each user request for secret access must be logged for auditing WorkerWorker Manager Internal DistributedStore Raft Consensus Group ManagerManager Worker External App Web UI Secrets Management for Applications Separate applications secrets from the actual code of the application
What Docker brings to secure the content • Private Registries • Content trust • Image Signing • Image Scanning • Read Only repositories • Secrets Management tag = “latest” personal/hello-world dev/hello-world No ‘critical’ or ‘major’ vulnerabilities qa/hello-world
Secure the operations Authentication & access control Multi tenancy
Authentication and Access Control • Basic Security – Access the Docker cluster without ROOT privileges – Secure every administration channel • Authentication – Manage users by groups and organizations – Delegate authentication to external directory • Access Control – Map Docker Admin roles to existing roles – Admins only see what they are entitled to • Auditing – Each Admin action must be logged for auditing Node Worker Node Worker Node Worker Node Worker ProdDev Dev Team A Dev Team B SecOpsOps Team PHI
Multi tenancy • Do not mix up platform multi tenancy and application multi tenancy • Two main usage of Multi Tenancy : o Isolate users/apps from others o Protect environments from unauthorized users ▪ Production vs Other environments • Several combined technics allows multi tenancy : o Authentication (not only for users) o Role based access control o Isolation of compute resources (pros & cons) o Resource usage limits (ensure they are set) Ensure & control good relationship between neighbors 19
What Docker brings to secure the operations • Authentication • Integration with AD/LDAP • Access Control • Role Segregation • Advanced Customization • Multi Tenancy
Conclusion Q&As
Conclusion • Containers are secure • 3+ years of experience in production • Like any other environment, security best practices are required • New technologies means new approaches to security (VM vs Services) 22
Docker Containers Security
Ad

Recommended

Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
Stephane Woillez
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker Security
Stephane Woillez
 
SS Introduction to Docker
SS Introduction to DockerSS Introduction to Docker
SS Introduction to Docker
Stephane Woillez
 
VMware@Night: Container & Virtualisierung
VMware@Night: Container & VirtualisierungVMware@Night: Container & Virtualisierung
VMware@Night: Container & Virtualisierung
Digicomp Academy AG
 
Containers vs. VMs: It's All About the Apps!
Containers vs. VMs: It's All About the Apps!Containers vs. VMs: It's All About the Apps!
Containers vs. VMs: It's All About the Apps!
Steve Wilson
 
Containers 101
Containers 101Containers 101
Containers 101
Black Duck by Synopsys
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017
Gordon Haff
 
Containers for Lawyers Richard Fontana
Containers for Lawyers Richard FontanaContainers for Lawyers Richard Fontana
Containers for Lawyers Richard Fontana
Black Duck by Synopsys
 
Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of docker
John Zaccone
 
Containers in depth – understanding how containers work to better work with c...
Containers in depth – understanding how containers work to better work with c...Containers in depth – understanding how containers work to better work with c...
Containers in depth – understanding how containers work to better work with c...
All Things Open
 
Docker Containers Deep Dive
Docker Containers Deep DiveDocker Containers Deep Dive
Docker Containers Deep Dive
Will Kinard
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containers
John Kinsella
 
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Edureka!
 
Docker introduction &amp; benefits
Docker introduction &amp; benefitsDocker introduction &amp; benefits
Docker introduction &amp; benefits
Amit Manwade
 
Dockercon EU 2015 Recap
Dockercon EU 2015 RecapDockercon EU 2015 Recap
Dockercon EU 2015 Recap
Lee Calcote
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
John Kinsella
 
Introduction to Docker - VIT Campus
Introduction to Docker - VIT CampusIntroduction to Docker - VIT Campus
Introduction to Docker - VIT Campus
Ajeet Singh Raina
 
Docker & Daily DevOps
Docker & Daily DevOpsDocker & Daily DevOps
Docker & Daily DevOps
Satria Ady Pradana
 
Docker taylor swift and protection v06
Docker taylor swift and protection v06Docker taylor swift and protection v06
Docker taylor swift and protection v06
marketingunitrends
 
Docker benefits v0.1
Docker benefits v0.1Docker benefits v0.1
Docker benefits v0.1
Dayanand Shanmugham
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
Containers - Transforming the data centre as we know it 2016
Containers - Transforming the data centre as we know it 2016Containers - Transforming the data centre as we know it 2016
Containers - Transforming the data centre as we know it 2016
Keith Lynch
 
Docker 101
Docker 101Docker 101
Docker 101
Lâm Đào
 
Docker Basic to Advance
Docker Basic to AdvanceDocker Basic to Advance
Docker Basic to Advance
Paras Jain
 
Docker - A high level introduction to dockers and containers
Docker - A high level introduction to dockers and containersDocker - A high level introduction to dockers and containers
Docker - A high level introduction to dockers and containers
Dr Ganesh Iyer
 
Docker in pratice -chenyifei
Docker in pratice -chenyifeiDocker in pratice -chenyifei
Docker in pratice -chenyifei
dotCloud
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
Julien Maitrehenry
 
Where and When to Docker
Where and When to DockerWhere and When to Docker
Where and When to Docker
dantheelder
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...
The Incredible Automation Day
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Ad

More Related Content

What's hot (20)

Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of docker
John Zaccone
 
Containers in depth – understanding how containers work to better work with c...
Containers in depth – understanding how containers work to better work with c...Containers in depth – understanding how containers work to better work with c...
Containers in depth – understanding how containers work to better work with c...
All Things Open
 
Docker Containers Deep Dive
Docker Containers Deep DiveDocker Containers Deep Dive
Docker Containers Deep Dive
Will Kinard
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containers
John Kinsella
 
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Edureka!
 
Docker introduction &amp; benefits
Docker introduction &amp; benefitsDocker introduction &amp; benefits
Docker introduction &amp; benefits
Amit Manwade
 
Dockercon EU 2015 Recap
Dockercon EU 2015 RecapDockercon EU 2015 Recap
Dockercon EU 2015 Recap
Lee Calcote
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
John Kinsella
 
Introduction to Docker - VIT Campus
Introduction to Docker - VIT CampusIntroduction to Docker - VIT Campus
Introduction to Docker - VIT Campus
Ajeet Singh Raina
 
Docker & Daily DevOps
Docker & Daily DevOpsDocker & Daily DevOps
Docker & Daily DevOps
Satria Ady Pradana
 
Docker taylor swift and protection v06
Docker taylor swift and protection v06Docker taylor swift and protection v06
Docker taylor swift and protection v06
marketingunitrends
 
Docker benefits v0.1
Docker benefits v0.1Docker benefits v0.1
Docker benefits v0.1
Dayanand Shanmugham
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
Containers - Transforming the data centre as we know it 2016
Containers - Transforming the data centre as we know it 2016Containers - Transforming the data centre as we know it 2016
Containers - Transforming the data centre as we know it 2016
Keith Lynch
 
Docker 101
Docker 101Docker 101
Docker 101
Lâm Đào
 
Docker Basic to Advance
Docker Basic to AdvanceDocker Basic to Advance
Docker Basic to Advance
Paras Jain
 
Docker - A high level introduction to dockers and containers
Docker - A high level introduction to dockers and containersDocker - A high level introduction to dockers and containers
Docker - A high level introduction to dockers and containers
Dr Ganesh Iyer
 
Docker in pratice -chenyifei
Docker in pratice -chenyifeiDocker in pratice -chenyifei
Docker in pratice -chenyifei
dotCloud
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
Julien Maitrehenry
 
Where and When to Docker
Where and When to DockerWhere and When to Docker
Where and When to Docker
dantheelder
 
Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of docker
John Zaccone
 
Containers in depth – understanding how containers work to better work with c...
Containers in depth – understanding how containers work to better work with c...Containers in depth – understanding how containers work to better work with c...
Containers in depth – understanding how containers work to better work with c...
All Things Open
 
Docker Containers Deep Dive
Docker Containers Deep DiveDocker Containers Deep Dive
Docker Containers Deep Dive
Will Kinard
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containers
John Kinsella
 
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Edureka!
 
Docker introduction &amp; benefits
Docker introduction &amp; benefitsDocker introduction &amp; benefits
Docker introduction &amp; benefits
Amit Manwade
 
Dockercon EU 2015 Recap
Dockercon EU 2015 RecapDockercon EU 2015 Recap
Dockercon EU 2015 Recap
Lee Calcote
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
John Kinsella
 
Introduction to Docker - VIT Campus
Introduction to Docker - VIT CampusIntroduction to Docker - VIT Campus
Introduction to Docker - VIT Campus
Ajeet Singh Raina
 
Docker & Daily DevOps
Docker & Daily DevOpsDocker & Daily DevOps
Docker & Daily DevOps
Satria Ady Pradana
 
Docker taylor swift and protection v06
Docker taylor swift and protection v06Docker taylor swift and protection v06
Docker taylor swift and protection v06
marketingunitrends
 
Docker benefits v0.1
Docker benefits v0.1Docker benefits v0.1
Docker benefits v0.1
Dayanand Shanmugham
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
Containers - Transforming the data centre as we know it 2016
Containers - Transforming the data centre as we know it 2016Containers - Transforming the data centre as we know it 2016
Containers - Transforming the data centre as we know it 2016
Keith Lynch
 
Docker 101
Docker 101Docker 101
Docker 101
Lâm Đào
 
Docker Basic to Advance
Docker Basic to AdvanceDocker Basic to Advance
Docker Basic to Advance
Paras Jain
 
Docker - A high level introduction to dockers and containers
Docker - A high level introduction to dockers and containersDocker - A high level introduction to dockers and containers
Docker - A high level introduction to dockers and containers
Dr Ganesh Iyer
 
Docker in pratice -chenyifei
Docker in pratice -chenyifeiDocker in pratice -chenyifei
Docker in pratice -chenyifei
dotCloud
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
Julien Maitrehenry
 
Where and When to Docker
Where and When to DockerWhere and When to Docker
Where and When to Docker
dantheelder
 

Similar to Docker Containers Security (20)

Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...
The Incredible Automation Day
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
ehazlett
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friend
Eric Smalling
 
Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?
DevOps.com
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
Docker, Inc.
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
Eric Smalling
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
Salesforce Engineering
 
Container Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container securityContainer Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container security
Eric Smalling
 
Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?
All Things Open
 
ATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdfATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdf
Eric Smalling
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys
 
Docker container security
Docker container securityDocker container security
Docker container security
Thoughtworks
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfPython Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdf
Eric Smalling
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerBuilding a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Docker, Inc.
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...
The Incredible Automation Day
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
ehazlett
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friend
Eric Smalling
 
Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?
DevOps.com
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
Docker, Inc.
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
Eric Smalling
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
Salesforce Engineering
 
Container Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container securityContainer Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container security
Eric Smalling
 
Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?
All Things Open
 
ATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdfATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdf
Eric Smalling
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys
 
Docker container security
Docker container securityDocker container security
Docker container security
Thoughtworks
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfPython Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdf
Eric Smalling
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerBuilding a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Docker, Inc.
 
Ad

Recently uploaded (20)

Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Ad

Docker Containers Security

  • 1. Security in the Container World Stéphane Woillez Technical Lead South Europe Docker Inc.
  • 2. From basic security to end to end secured operations…. • Different aspects of containers security • Container ARE secure • There are containers and containers • Secure the infrastructure • Secure the content • Secure the access Containers are Polymorphic entities that require a combined security approach 2
  • 3. The security of Docker environments covers 3 aspects + + Secure Platform Secure Content Secure Access Strong isolation and secure by default Authentication, authorization and access control Content integrity and trust • Does not hinder speed or creativity • Accelerate secure development For Developers For IT ops • Flexible and granular controls • Proactive risk management A secure platform, running secured content, managed with security constraints
  • 4. Containers Security Basics Containers are secure Understand containers to know how to secure them
  • 5. State of the union : Containers are secure ! • Isolation of containers with NameSpaces • Resource Usage Limits with CGroups • Admin rights control with LibCap • Kernel protection with AppArmor, SELinux or Seccomp • Prevent Compromising with immutable image layers • Limit attack surface with Images built best practices Readonly Readonly Readonly Install only the required libraries in images Even the more secured environment, if poorly managed, can be compromised 5
  • 6. Containers are polymorphic entities (micro)Service Container Virtual Machine Container The container hosts a few number of processes It executes a single task, in general a simple one It is one element of a larger application The container runs a large number of processes It executes a complex activity It is a whole application
  • 7. Different behaviors need different management approaches Type of Container Service Virtual Machine Content Few processes A whole application Size Few mega bytes Hundreds of mega bytes, even giga bytes Lifespan Short, sometimes a few milliseconds Days / Weeks / Months Patchs Never On a regular basis (by stop/start) Storage None Regular (via volumes) Monitoring Service availability (not the container) Regular Access Never Regular for control, debug… Backup Never Application Data Security BEFORE execution Regular via Antimalware & Intrusion Detection
  • 8. Secure the infrastructure Security of the engine What about intrusion detection ?
  • 9. Security of the Engine • Install & configure kernel protection using AppArmor, SELinux or Seccomp • Prevent root access to clusters, to ensure no one can disable protection • Limit the installed packages on host to reduce risk • Use a tool like DockerBench for Security to assess and fix the configuration of hosts • On clusters, configure certificates rotation for TLS sessions Configure, control, and test… 9
  • 10. Detection of intrusions and abnormal activities • Very early stage. Attacks adapted to containers still to be developed. Risk low for Micro Services Apps • The security approach depends on the type of containers managed • For « Virtual Machines » containers o Well, everything works like in VMs o Host based Intrusion detection o Anti malware • For « Services » containers o Containers may live for only milliseconds o Vulnerability assessment BEFORE execution What the hell are you doing inside my Docker cluster ? 10
  • 11. What Docker brings to secure the infrastructure • Cryptographic node identity • Out of the box TLS • Integrated Seamless PKI • Automatic certificates rotation • External CA integration • Integration with 3rd party vendors Manager Node Certificate Authority TLS Manager Node Certificate Authority TLS Manager Node Certificate Authority TLS Worker TLS Worker TLS Worker TLS
  • 12. Secure the content Docker image management Content trust Secrets Management
  • 13. Image Management • Hub Images or my private images ? o Allow developers to use hub images locally o Deny uncontrolled images on clusters • Build your own base images o Tar the content of a chroot dir and use “scratch” o Look for examples in the Docker Hub • Reduce the size of images layers using multi stage builds • Tagging o LATEST is your enemy in production o Favor major versions, update using minors o Some use extra tags like DEV,INTEGRATION... FROM scratch ADD <chroot_dir or tar file> / CMD ["/bin/bash"] Docker HUB Trusted Registry Image quality is key to many aspects of Docker : security, efficiency, shareability… 13
  • 14. Content trust : Run only trusted images • Clusters should only run trusted images • Images should pass security validation before been granted for production • Digital signing of images ensure trust. Engines do not create containers from unsigned images • Sophisticated signing policies can be used for different purposes : o Implement a validation chain o Ensure all security tests have been applied o Involve the responsibility of image providers Don’t open the Pandora’s box, unless you know exactly what it contains 14
  • 15. • Management – Separation between the application and the secrets it handles – Exposed to a container at execution time • Authorization – Not all admins should access secrets • Delivery – Encryption at every step of the process – Protection from unauthorized access • Auditing – Each user request for secret access must be logged for auditing WorkerWorker Manager Internal DistributedStore Raft Consensus Group ManagerManager Worker External App Web UI Secrets Management for Applications Separate applications secrets from the actual code of the application
  • 16. What Docker brings to secure the content • Private Registries • Content trust • Image Signing • Image Scanning • Read Only repositories • Secrets Management tag = “latest” personal/hello-world dev/hello-world No ‘critical’ or ‘major’ vulnerabilities qa/hello-world
  • 17. Secure the operations Authentication & access control Multi tenancy
  • 18. Authentication and Access Control • Basic Security – Access the Docker cluster without ROOT privileges – Secure every administration channel • Authentication – Manage users by groups and organizations – Delegate authentication to external directory • Access Control – Map Docker Admin roles to existing roles – Admins only see what they are entitled to • Auditing – Each Admin action must be logged for auditing Node Worker Node Worker Node Worker Node Worker ProdDev Dev Team A Dev Team B SecOpsOps Team PHI
  • 19. Multi tenancy • Do not mix up platform multi tenancy and application multi tenancy • Two main usage of Multi Tenancy : o Isolate users/apps from others o Protect environments from unauthorized users ▪ Production vs Other environments • Several combined technics allows multi tenancy : o Authentication (not only for users) o Role based access control o Isolation of compute resources (pros & cons) o Resource usage limits (ensure they are set) Ensure & control good relationship between neighbors 19
  • 20. What Docker brings to secure the operations • Authentication • Integration with AD/LDAP • Access Control • Role Segregation • Advanced Customization • Multi Tenancy
  • 22. Conclusion • Containers are secure • 3+ years of experience in production • Like any other environment, security best practices are required • New technologies means new approaches to security (VM vs Services) 22