Continuous Security Assessment for the Docker/Kubernetes Ecosystem
Cavirin is taking a leadership role securing the container lifecycle, including co-authoring both Docker and Kubernetes Security Benchmarks, OS hardening of cloud (AWS, Azure, and Google) containers as well as registry and Docker image scanning.
Continuous Visibility
Cavirin's automated Docker container security scanning looks at and assesses all things within the actual Docker image, including security baselines and whether the system is patched, and can play an important role in the CI/CD pipeline. This is critical since about a third of all container images found in public or even private registries have vulnerabilities.
Unsurpassed Security
OS hardening of the full containerized infrastructure stack removes security holes and unnecessary/corrupt images to provide unsurpassed security in addition to improving container performance.
Advanced Compliance
Cavirin was a key contributor of the CIS Docker v17.06 Benchmark and has embedded the core security guidelines into their platform along with other security and industry compliance frameworks (e.g HIPAA, PCI, SOC2 and NIST).
Cavirin's Steps to Full-Stack Container Security
At Cavirin, we take this full-stack security approach to container security, starting with the cloud service provider (though we support on-premise deployments), then the host OS or hypervisor (if deployed), next the container itself, both at-rest and in production, the images that make up the container, and finally, orchestration. APIs integrate with your choice of CI/CD toolset. We apply our protection, monitoring, and response capabilities to these different domains (prediction coming soon). Here are the steps we recommend:
- Harden your images via the CIS Docker Benchmark as well as patches and vulnerabilities. Our solution supports both public and private registries.
- Secure your container hosts and VMs via the CIS Benchmark as well as any OS-specific guidelines, frameworks, and best-practices such as NIST and PCI.
- Harden your Google Kubernetes Orchestration layer via a combination of the CIS Kubernetes Benchmark and monitoring.
- In parallel with the above, harden your CSP environment via active monitoring (i.e, AWS CloudTrail), application of relevant benchmarks, and network policy enforcement.
- Also in parallel with the above, add security as a promotion criteria to your CI/CD pipeline.
The Container Ecosystem
Why Full-Stack Security Makes Sense
Container security extends into all aspects of the building blocks that make up the container ecosystem, and not just to the well-known registries like Docker or those offered within the cloud service providers. Securing a container deployment may include best practices for companies supporting: the developer workspace, continuous integration, build automation, testing frameworks, release automation, and operations tools. And, container security is critical, now more than ever, as greater numbers are deployed in production environments.
At Cavirin, borrowing a term from software development, we call our approach ‘full-stack’ container security. This implies that you need to look at all layers of the container environment (cloud, virtualization, operating system, container runtime, and orchestration), taking both a vertical and horizontal security approach. However, containers can’t be secured in isolation--isolated "Docker Security" doesn't work. The overall security posture of the hybrid cloud is critical, and this includes both the workloads as well as the cloud account and services. Get all the details in this newest eGuide on why Full Stack Container Security makes sense.
Docker Container Security Concerns - Where Cavirin Can Help
Containers help organizations to pack applications into images (or builds) and deploy them on any host running a Docker daemon narrowing the exposure surface. However, Docker security is not a simple task as the system has three separate elements: The Docker Host, Docker daemon, and the image running as a container. Here are some concerns with Docker security and areas where Cavirin can help:
- Popular Docker images have many vulnerabilities
- All containers are subject to kernel exploit/vulnerability
- Security at best is as good as the host security
- Access Control traditionally too wide on its own
- Isolation between containers – East & West attacks
- Isolation of host – cgroups, name spaces
- Security must be integrated into cluster management
- Security must be automated
- Are not constructed to meet cloud, virtual machine, and container compliance