1. Security in the Container World
Stéphane Woillez
Technical Lead South Europe
Docker Inc.

2. From basic security to end to end secured operations….
• Different aspects of containers security
• Container ARE secure
• There are containers and containers
• Secure the infrastructure
• Secure the content
• Secure the access
Containers are Polymorphic entities that require a combined security approach
2

3. The security of Docker environments covers 3 aspects
+ +
Secure
Platform
Secure
Content
Secure
Access
Strong isolation and
secure by default
Authentication,
authorization and
access control
Content integrity and
trust
• Does not hinder speed or creativity
• Accelerate secure development
For Developers For IT ops
• Flexible and granular controls
• Proactive risk management
A secure platform, running secured content, managed with security constraints

4. Containers Security Basics
Containers are secure
Understand containers to know how to secure them

5. State of the union : Containers are secure !
• Isolation of containers with NameSpaces
• Resource Usage Limits with CGroups
• Admin rights control with LibCap
• Kernel protection with AppArmor,
SELinux or Seccomp
• Prevent Compromising with immutable
image layers
• Limit attack surface with Images built best
practices
Readonly
Readonly
Readonly
Install only the required libraries in images
Even the more secured environment, if poorly managed, can be compromised
5

6. Containers are polymorphic entities
(micro)Service
Container
Virtual Machine
Container
The container hosts a few
number of processes
It executes a single task,
in general a simple one
It is one element of a
larger application
The container runs a large
number of processes
It executes a complex
activity
It is a whole application

7. Different behaviors need different management approaches
Type of Container Service Virtual Machine
Content Few processes A whole application
Size Few mega bytes Hundreds of mega bytes, even giga bytes
Lifespan Short, sometimes a few milliseconds Days / Weeks / Months
Patchs Never On a regular basis (by stop/start)
Storage None Regular (via volumes)
Monitoring Service availability (not the container) Regular
Access Never Regular for control, debug…
Backup Never Application Data
Security BEFORE execution Regular via Antimalware & Intrusion Detection

8. Secure the infrastructure
Security of the engine
What about intrusion detection ?

9. Security of the Engine
• Install & configure kernel protection using
AppArmor, SELinux or Seccomp
• Prevent root access to clusters, to ensure no one
can disable protection
• Limit the installed packages on host to reduce risk
• Use a tool like DockerBench for Security to assess
and fix the configuration of hosts
• On clusters, configure certificates rotation for TLS
sessions
Configure, control, and test…
9

10. Detection of intrusions and abnormal activities
• Very early stage. Attacks adapted to containers still
to be developed. Risk low for Micro Services Apps
• The security approach depends on the type of
containers managed
• For « Virtual Machines » containers
o Well, everything works like in VMs
o Host based Intrusion detection
o Anti malware
• For « Services » containers
o Containers may live for only milliseconds
o Vulnerability assessment BEFORE execution
What the hell are you doing inside my Docker cluster ?
10

11. What Docker brings to secure the infrastructure
• Cryptographic node identity
• Out of the box TLS
• Integrated Seamless PKI
• Automatic certificates rotation
• External CA integration
• Integration with 3rd party vendors
Manager Node
Certificate
Authority
TLS
Manager Node
Certificate
Authority
TLS
Manager Node
Certificate
Authority
TLS
Worker
TLS
Worker
TLS
Worker
TLS

12. Secure the content
Docker image management
Content trust
Secrets Management

13. Image Management
• Hub Images or my private images ?
o Allow developers to use hub images locally
o Deny uncontrolled images on clusters
• Build your own base images
o Tar the content of a chroot dir and use “scratch”
o Look for examples in the Docker Hub
• Reduce the size of images layers using multi
stage builds
• Tagging
o LATEST is your enemy in production
o Favor major versions, update using minors
o Some use extra tags like DEV,INTEGRATION...
FROM scratch
ADD <chroot_dir or tar file> /
CMD ["/bin/bash"]
Docker HUB Trusted Registry
Image quality is key to many aspects of Docker : security, efficiency, shareability…
13

14. Content trust : Run only trusted images
• Clusters should only run trusted images
• Images should pass security validation before been
granted for production
• Digital signing of images ensure trust. Engines do
not create containers from unsigned images
• Sophisticated signing policies can be used for
different purposes :
o Implement a validation chain
o Ensure all security tests have been applied
o Involve the responsibility of image providers
Don’t open the Pandora’s box, unless you know exactly what it contains
14

15. • Management
– Separation between the application
and the secrets it handles
– Exposed to a container at execution
time
• Authorization
– Not all admins should access secrets
• Delivery
– Encryption at every step of the
process
– Protection from unauthorized access
• Auditing
– Each user request for secret access
must be logged for auditing
WorkerWorker
Manager
Internal DistributedStore
Raft Consensus Group
ManagerManager
Worker
External
App
Web UI
Secrets Management for Applications
Separate applications secrets from the actual code of the application

16. What Docker brings to secure the content
• Private Registries
• Content trust
• Image Signing
• Image Scanning
• Read Only repositories
• Secrets Management
tag =
“latest”
personal/hello-world dev/hello-world
No ‘critical’ or ‘major’
vulnerabilities
qa/hello-world

17. Secure the operations
Authentication & access control
Multi tenancy

18. Authentication and Access Control
• Basic Security
– Access the Docker cluster without ROOT
privileges
– Secure every administration channel
• Authentication
– Manage users by groups and organizations
– Delegate authentication to external directory
• Access Control
– Map Docker Admin roles to existing roles
– Admins only see what they are entitled to
• Auditing
– Each Admin action must be logged for
auditing
Node
Worker
Node
Worker
Node
Worker
Node
Worker
ProdDev
Dev Team A Dev Team B SecOpsOps Team
PHI

19. Multi tenancy
• Do not mix up platform multi tenancy and application
multi tenancy
• Two main usage of Multi Tenancy :
o Isolate users/apps from others
o Protect environments from unauthorized users
▪ Production vs Other environments
• Several combined technics allows multi tenancy :
o Authentication (not only for users)
o Role based access control
o Isolation of compute resources (pros & cons)
o Resource usage limits (ensure they are set)
Ensure & control good relationship between neighbors
19

20. What Docker brings to secure the operations
• Authentication
• Integration with AD/LDAP
• Access Control
• Role Segregation
• Advanced Customization
• Multi Tenancy

21. Conclusion
Q&As

22. Conclusion
• Containers are secure
• 3+ years of experience in production
• Like any other environment, security best
practices are required
• New technologies means new approaches
to security (VM vs Services)
22