Docker Container Security: Challenges and Best Practices

Docker’s massive adoption rates in recent years have made container security a critical consideration for organizations that use containers for development or production. Given that containers are more complex in many respects than virtual machines and other deployment technologies that were widely used before Docker, learning how to secure Docker containers can be complex as well.

In this article, we offer an overview of Docker container security. We explain why securing Docker containers is challenging, which default settings in a Docker environment you should change in order to make your containers more secure, and which best practices to follow when monitoring your containers for security.

The challenge of Docker container security

Before Docker, most organizations used virtual machines or bare-metal servers to host applications. From a security perspective, these technologies are relatively simple. You need to focus on just two layers (the host environment and the application) when hardening your deployment and monitoring for security-relevant events. You also typically do not need to worry much about APIs, overlay networks or complex software-defined storage configurations, because these are not usually a major part of virtual-machine or bare-metal deployments.

Docker container security is more complicated, largely because a typical Docker environment has many more moving parts. Those parts include:

  • Your containers. You probably have multiple Docker container images, each hosting individual microservices. You probably also have multiple instances of each image running at a given time. Each of those images and instances needs to be secured and monitored separately.

  • The Docker daemon, which needs to be secured to keep the containers it hosts safe.

  • The host server, which could be bare metal or a virtual machine.

  • If you host your containers in the cloud using a service (Read more…)

*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Gabriel Avner. Read the original post at: