As part of a three-part series on incorporating security into the container environment, I’ve talked all about containers and how to inject security into the pipeline. Let’s now discuss tips on how to secure the container stack.

What Do I Mean by “Stack”?

What I’m calling the stack in this case refers to all of the layers or components involved with a running container on a Host system. This means securing the platform itself, whether that’s your AWS or Azure environment; securing the Host OS running on that platform, such as Alpine Linux; securing the container technology itself, including the Docker daemon and the Docker container runtime; and all the way down to creating secure container images and Docker files themselves.

The Platform

Securing the platform means ensuring that your AWS or Azure accounts are configured securely. You should ideally use an automated assessment tool that can continually assess your accounts to ensure they are in compliance with best-practices and standards. In the case of AWS, there is a CIS Amazon Web Services Foundations policy available that you can use as a guideline.

Verizon’s recent data breach that leaked 6 million of their customers’ personal data online was caused by misconfiguring one of their S3 buckets, causing it to be exposed publically. This really illustrates the idea that just one simple misconfiguration of your cloud platform can cause catastrophic compromises to the services and data you have hosted there.

The Host OS

While it’s probably not surprising to know you need to secure the Host OS that the containers are running on, it’s critical all the same.

To reduce the attack surface as much as possible, your Host OS should be designed for the singular purpose of running containers. It should be lean. That means no services running and no (Read more...)