As the DevOps community looks to descend upon Vegas for the AWS re:Invent conference, I am reminded of some of the all time great quotes from Vegas themed movies.  Who can’t love the 1996 movie Swingers with Vince Vaughn and John Favreau.  One of the best one liners was “You’re so money and you don’t even know it!”

Vaughn constantly reminded the often deflated Favreau about his lack of self-esteem when it comes to the opposite sex. When it comes to investing in cybersecurity, it IS your money and you absolutely need to know where it is going.  Those investments have to adequately reduce your information security risk or attackers will take your money and you won’t even know it. In fact, they should help reduce your cost of deploying safe and sound information technology platforms.

Vegas will be swarming with many DevOps fans as well as Vince Vaughn and John Favreau fans, myself included!  They will also be heavily discussing the capabilities found through the use of “containers” to further accelerate their development activities both on-premise and in the cloud.  However, this phenomenon should be deployed with great care and security/compliance needs to be top of mind.

The Docker CIS Benchmark (v1.6 April 29th, 2015) represents a high-quality, evolutionary shift in container management by enabling standardized, secure configuration of Docker containers. However this could lead an IT administrator to the false conclusion that implementation of the benchmark means it is also fully compliant. The benchmark does an outstanding job advising on a secure container solution, but we’re seeing the IT demand for guidance to ‘measure the unmeasurable’ and ensure containerized services are compliant end-to-end.

Several key areas affecting compliance are not currently scored within the benchmark, or do not reflect more modern devops models (e.g. don’t use development tools in production). These unsecured elements have a material impact to PCI, HIPAA, ISO, FedRAMP, and many other industry standards & certifications. In order for the baseline to maximize its value to IT, the benchmark should be expanded to measure the currently unsecured elements. These may be fed by host and image configuration details, and through a cloud provider’s APIs & tools. I hope everyone secured their seat for the sold out AWS re:Invent conference, where you’ll find Amazon’s solutions to measure many of these elements. We will be there and containers will be a hot topic of discussion for us.

Docker CIS Benchmark Unscored Elements:

  • Development Tools in Production
  • Hardened Container Host
  • Non-Essential Services
  • Docker Up-to-Date
  • Use Trusted Base Images for Containers
  • Do Not Install Unnecessary Packages in the Container
  • Rebuild the Images to include Security Patches
  • Do not Directly Expose Host Devices to Containers
  • Override Default Ulimit at runtime only if Needed
  • Perform Regular Security Audits of host System and Containers
  • Monitor Docker Containers
  • EPP Tools for Containers
  • Backup Container Data
  • Centralized Remote Log Collection Service
  • Image Sprawl
  • Container Sprawl

Cavirin will be actively involved in the benchmark’s established security metrics consensus process, which serves to improve existing guidance through objective industry feedback. Stay tuned for benchmark inclusion status within our ARAP (Automated Risk Analysis Platform), and future product developments at http://www.cavirin.com.