Get My Score

Docker/Kubernetes

Continuous Security Assessment for the Docker/Kubernetes Ecosystem

 

Cavirin is taking a leadership role securing the container lifecycle, including co-authoring both Docker and Kubernetes Security Benchmarks, OS hardening of containers as well as registry and Docker image scanning.

Continuous Visibility

Cavirin's automated Docker image scanning looks at and assess all things within the actual Docker image, including security baselines and whether the system is patched, and can play an important role in the CI/CD pipeline. This is critical, since about a third of all container images found in public or even private registries have vulnerabilities.

Unsurpassed Security

OS hardening of the full containerized infrastructure stack removes security holes and unnecessary/corrupt images to provide unsurpassed security in addition to improving container performance.

Advanced Compliance

Cavirin was a key contributor of the CIS Docker v17.06 Benchmark and has embedded the core security guidelines into their platform along with other security and industry compliance frameworks (e.g HIPAA, PCI, SOC2 and NIST).



Cavirin's Steps to Full-Stack Container Security

At Cavirin, we take this full-stack security approach to container security, starting with the cloud service provider (though we support on-premise deployments), then the host OS or hypervisor (if deployed), next the container itself, both at-rest and in production, the images that make up the container, and finally, orchestration. APIs integrate with your choice of CI/CD toolset. We apply our protection, monitoring, and response capabilities to these different domains (prediction coming soon). Here are the steps we recommend:

    • Harden your images via the CIS Docker Benchmark as well as patches and vulnerabilities. Our solution supports both public and private registries.
    • Secure your container hosts and VMs via the CIS Benchmark as well as any OS-specific guidelines, frameworks, and best-practices such as NIST and PCI.
    • Harden your orchestration layer via a combination of the CIS Kubernetes Benchmark and monitoring.
    • In parallel with the above, harden your CSP environment via active monitoring (i.e, AWS CloudTrail), application of relevant benchmarks, and network policy enforcement.
    • Also in parallel with the above, add security as a promotion criteria to your CI/CD pipeline.

container security - full-stack

The Container Ecosystem 

Why Full-Stack Security Makes Sense

Container security extends into all aspects of the building blocks that make up the container ecosystem, and not just to the well-known registries like Docker or those offered within the cloud service providers. Securing a container deployment may include best practices for companies supporting: the developer workspace, continuous integration, build automation, testing frameworks, release automation, and operations tools. And, container security is critical, now more than ever, as greater numbers are deployed in production environments.

At Cavirin, borrowing a term from software development, we call our approach ‘full-stack’ container security. This implies that you need to look at all layers of the container environment (cloud, virtualization, operating system, container runtime, and orchestration), taking both a vertical and horizontal security approach. However, containers can’t be secured in isolation. The overall security posture of the hybrid cloud is critical, and this includes both the workloads as well as the cloud account and services.  Get all the details in this newest eGuide on why Full Stack Container Security makes sense.


Download eGuide

© 2018 Cavirin Systems, Inc. All rights reserved.