• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Free Trial
  • Contact us
  • Blog
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Products
    • Product
      • Cisco Umbrella Cloud Security Service
      • Cisco Umbrella Investigate
      • Product Packages
      • Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Interactive Intelligence
      • Cloud-Delivered Firewall
    •  
    • Webinar signup
  • Solutions
    • By Need
      • Protect Mobile Users
      • Fast Incident Response
      • Web Content Filtering
      • Shadow IT Discovery & App Blocking
      • Unified Threat Enforcement
      • Reduce Security Infections
      • Secure Direct Internet Access
      • Securing Remote and Roaming Users
    • By Network
      • Protect Guest Wi-Fi
      • SD-WAN Security
      • Off-Network Endpoint Security
    • By Industry
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
      • Our Customers
      • Customer Stories
    • Ransomware Defense for Dummies book
  • Why Us
    • Fast Reliable Cloud
      • Cloud Security Infrastructure
      • Cloud Network Status
      • Cloud Network Activity
      • Recursive DNS Services
      • Top Reasons to Trial
      • Getting Started
    • Unmatched Intelligence
      • Cyber Attack Prevention
      • Interactive Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco SD-WAN
    • Navigation-dropdown-promo-free-trial_102820
  • Resources
    • Content Library
      • Top Resources
      • Analyst Reports
      • Case Studies
      • Customer Videos
      • Datasheets
      • eBooks
      • Infographics
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Cisco Umbrella Blog
      • Latest Posts
      • Security Posts
      • Research Posts
      • Threats Posts
      • Product Posts
      • Spotlight
    • For Customers
      • Support
      • Customer Success Hub
      • Umbrella Deployment Hub
      • Customer Success Webinars
      • What’s New
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
      • Secure Access Service Edge (SASE)
    • Security Threats
      • Ransomware
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
    •  
    • 2020 Cybersecurity trends
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Become a partner
  • Free Trial Signup
  • Umbrella Login
  • Cloudlock Login
  • Contact Us
Security

Considering Docker? Consider Security First

By Owen Lystrup
Posted on March 17, 2016
Updated on October 15, 2020

Share

Facebook0Tweet0LinkedIn0

Containers started making a big splash in IT and dev operations starting in 2014. The benefits of flexibility and go-live times, among many others, are almost undeniable. But large enterprises considering using a container platform for development or IT operations should pause and consider security first.
Last year DataDog, an IT infrastructure monitoring company, surveyed 7,000 companies and found that Docker adoption was up fivefold from 2014 to 2015. If true, the adoption rate for using containers as opposed to virtual machines and hypervisors to run apps is rather unprecedented for enterprises large and small. The survey also found that two-thirds of companies that evaluate Docker, end up adopting it.
Docker is a platform that allows IT sys admins, software developers, engineers, or anyone needing to publish a piece of code or software, to compartmentalize apps along with their code libraries and executable files into what are called containers. Rather than use an entire OS instance like Windows to run one application on a virtual machine, container platforms like Docker can use far fewer resources, a single OS, and containers to keep processes separate from one another, and thus far more efficient. Containers certainly have a large number of benefits for IT and dev ops, such as fewer virtual machines and OS instances to patch and update, fewer hardware boxes to house and maintain, rapid application deployment (really rapid, like seconds in most cases), easy version control, easy sharing, and so on. However, there is speculation from some that containerization — to use such a Franken-term — is not ready for large enterprise use. Docker logo
Much of that speculation comes from both the previous security issues that plagued Docker’s early days, and the fact that it is such new technology that has not been hardened through widespread use.
Of course there are security issues
At RSA 2016 Securosis Contributing Analyst David Mortman led a session on security for Docker, and quoted Red Hat Engineer Dan Walsh as saying, “Containers don’t contain.” What he means is, because an application or piece of code lives in a container, it doesn’t mean the container is going to prevent leaks to other containers or the OS itself. In other words, there is nothing inherently secure about containers. In fact, Mortman said, Docker has openly admitted this fact in the past.
“If you talk to the Docker guys, they say ‘Of course there are security issues. This is beta code,” Mortman said.
And that’s the underlying issue. Sure the security problems extend from necessity of root privilege in containers to run a process or app, and namespace issues with the Linux host. Docker’s own documentation highlights four core security issues that should be addressed when using the platform.
“From an application perspective,” Mortman said, “you have only what you need, which is great.” But, he added, the security concerns are that of really any operating system. Backing up data, reducing the attack surface, keeping access levels under control, are all still necessary.
During his talk, Mortman recommended using the Docker Security Benchmark tool available on Github. It’s a utility developers can run against a container that will check for dozens of known security issues. It’s based on the collaboration project Docker embarked on with the Center for Internet Security, which resulted in a 120-plus page benchmark for security best practices.
And outside of the 17 or so security bullet points that Mortman outlined in his talk, above all, he said container security should be treated just like Linux or OS security. One core piece of advice about Docker is exercising extreme care about using public containers. Docker Hub is like any open software platform, with publicly available images, scripts, apps, and utilities developers can find on Github and repurpose — more than 100,000 of them. And the Docker Hub registry does its best to ensure the validity of images by adding signatures and hashes of the image to make sure what is in the image’s manifest is actually what’s in the image.
But, Mortman cautioned, “Don’t trust them blindly. It’s not rocket science, but we all do it sometimes.” Developers should still check the hashes of any image pulled from a public source before using it in production.
Embrace the benefits, but with caution
If embracing the power of Docker, it’s a good idea to temper it with good container hygiene, like not using root unless absolutely necessary (which it usually is not), preventing container leaks, mounting only necessary volumes and not extraneous ones like etc.
OpenDNS Security Engineer Chris Dorros says using a container hosting platform can help ensure the hygiene required for large enterprises.  “Having a platform for developers where they can host their containers as a service can help centralize security controls and greatly reduce mistakes,” he said in an e-mail interview. “At OpenDNS we use a homegrown system called Quadra, but there are others like Kubernetes.”
For more on Quadra and how OpenDNS uses Docker, see the previous posts from the OpenDNS engineering team.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Cisco Umbrella Blog
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Cisco Umbrella

Learn more

  • Events
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2021 Cisco Umbrella