The State of Container Security Today

The container security landscape is changing fast as new tools emerge and new challenges arise. Here’s a summary of the current state of container security.

To understand container security, it’s necessary first to appreciate that there are multiple layers of the container software stack. Each stack poses its own security challenges and potential solutions.

Currently, this what security looks like at each major level of the container software stack:

• Container images. Images are probably the most easily secured part of the stack. Thanks to the release earlier this year of Docker Security Scanning and CoreOS Clair, automated tools are available for checking container images for security vulnerabilities. These image scanners are not perfect, of course, but they are a big improvement over manual image review.
• Running containers. Monitoring the security of containers while they are running is more difficult. One way to do this would be to collect container status data using either the docker stats command or a third-party monitoring tool, then analyze that data with a data analytics platform. None of the tools involved in this approach was designed specifically for container security, but in the absence of a real-time threat detection system for container clusters, this is also better than nothing.
• Container registries. You need to make sure your container registries are secured if you want your users to prevent attackers from tampering with the container images that you deliver to users via registries. If you use a public registry service, such as Docker Hub or Quay, you’re depending on the service provider to keep the registry secure. If you set up your own container registry, you’ll need to do your homework to ensure that the host server is running securely.
• Docker daemon. If an attacker is able to take control of the Docker damage, he could possibly do all manner of nasty things to your container environment. Unfortunately, Docker still requires the daemon to run under the system root account, which is not ideal from a security standpoint. But you can at least make sure to lock down other system accounts to help prevent abuse. A system hardening tool such as SELinux could come in handy for securing the daemon, too.

If one thing’s clear, it’s that we’re still waiting on good security solutions for containers for most layers of the container stack. Those will hopefully emerge as container adoption continues.

For now, container security remains a do-it-yourself endeavor at some layers of the stack. But with Clair and Docker Security Scanning having emerged in the not-too-distant past, the optimists out there can believe that additional security tools tailored to container stacks are on their way, too.