• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Security

Considering Docker? Consider Security First

Author avatar of Owen LystrupOwen Lystrup
Updated — October 15, 2020 • 4 minute read
View blog >

Containers started making a big splash in IT and dev operations starting in 2014. The benefits of flexibility and go-live times, among many others, are almost undeniable. But large enterprises considering using a container platform for development or IT operations should pause and consider security first.
Last year DataDog, an IT infrastructure monitoring company, surveyed 7,000 companies and found that Docker adoption was up fivefold from 2014 to 2015. If true, the adoption rate for using containers as opposed to virtual machines and hypervisors to run apps is rather unprecedented for enterprises large and small. The survey also found that two-thirds of companies that evaluate Docker, end up adopting it.
Docker is a platform that allows IT sys admins, software developers, engineers, or anyone needing to publish a piece of code or software, to compartmentalize apps along with their code libraries and executable files into what are called containers. Rather than use an entire OS instance like Windows to run one application on a virtual machine, container platforms like Docker can use far fewer resources, a single OS, and containers to keep processes separate from one another, and thus far more efficient. Containers certainly have a large number of benefits for IT and dev ops, such as fewer virtual machines and OS instances to patch and update, fewer hardware boxes to house and maintain, rapid application deployment (really rapid, like seconds in most cases), easy version control, easy sharing, and so on. However, there is speculation from some that containerization — to use such a Franken-term — is not ready for large enterprise use. Docker logo
Much of that speculation comes from both the previous security issues that plagued Docker’s early days, and the fact that it is such new technology that has not been hardened through widespread use.
Of course there are security issues
At RSA 2016 Securosis Contributing Analyst David Mortman led a session on security for Docker, and quoted Red Hat Engineer Dan Walsh as saying, “Containers don’t contain.” What he means is, because an application or piece of code lives in a container, it doesn’t mean the container is going to prevent leaks to other containers or the OS itself. In other words, there is nothing inherently secure about containers. In fact, Mortman said, Docker has openly admitted this fact in the past.
“If you talk to the Docker guys, they say ‘Of course there are security issues. This is beta code,” Mortman said.
And that’s the underlying issue. Sure the security problems extend from necessity of root privilege in containers to run a process or app, and namespace issues with the Linux host. Docker’s own documentation highlights four core security issues that should be addressed when using the platform.
“From an application perspective,” Mortman said, “you have only what you need, which is great.” But, he added, the security concerns are that of really any operating system. Backing up data, reducing the attack surface, keeping access levels under control, are all still necessary.
During his talk, Mortman recommended using the Docker Security Benchmark tool available on Github. It’s a utility developers can run against a container that will check for dozens of known security issues. It’s based on the collaboration project Docker embarked on with the Center for Internet Security, which resulted in a 120-plus page benchmark for security best practices.
And outside of the 17 or so security bullet points that Mortman outlined in his talk, above all, he said container security should be treated just like Linux or OS security. One core piece of advice about Docker is exercising extreme care about using public containers. Docker Hub is like any open software platform, with publicly available images, scripts, apps, and utilities developers can find on Github and repurpose — more than 100,000 of them. And the Docker Hub registry does its best to ensure the validity of images by adding signatures and hashes of the image to make sure what is in the image’s manifest is actually what’s in the image.
But, Mortman cautioned, “Don’t trust them blindly. It’s not rocket science, but we all do it sometimes.” Developers should still check the hashes of any image pulled from a public source before using it in production.
Embrace the benefits, but with caution
If embracing the power of Docker, it’s a good idea to temper it with good container hygiene, like not using root unless absolutely necessary (which it usually is not), preventing container leaks, mounting only necessary volumes and not extraneous ones like etc.
OpenDNS Security Engineer Chris Dorros says using a container hosting platform can help ensure the hygiene required for large enterprises.  “Having a platform for developers where they can host their containers as a service can help centralize security controls and greatly reduce mistakes,” he said in an e-mail interview. “At OpenDNS we use a homegrown system called Quadra, but there are others like Kubernetes.”
For more on Quadra and how OpenDNS uses Docker, see the previous posts from the OpenDNS engineering team.

Suggested Blogs

  • Cisco Umbrella Delivered Better Cybersecurity and 231% ROI February 21, 2023 2 minute read
  • Cisco Listed as a Representative Vendor in Gartner® Market Guide for Single-Vendor SASE January 26, 2023 3 minute read
  • How to Evaluate SSE Vendors: Questions to Ask, Pitfalls to Avoid June 23, 2022 5 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella