Docker is a big part of the containerization of applications used in the industry. With the widespread usage of containers, it is evident that we need to have effective security measures around containers. If we take a look at the internal architecture of containers, they are quite close to the host operating system kernel.
Docker applies the principle of least privilege to provide isolation and reduce the attack surface. Despite the advances, the following points will help you understand the security measures you can take for containers:
- Ensure all the container images used for microservices are signed and originate from a trusted registry
- Harden the host environment, the daemon process, and images
- Follow the principle of least privilege and do not elevate access to access devices
- Use control groups in Linux to keep tabs on resources, such as memory, I/O, and CPU
- Even though containers live for a very short duration, logging all of the container activity is advisable and important to understand for post analysis
- If possible, integrate the container scanning process with tools, such as Aqua (http://www.aquasec.com) or Twistlock (https://www.twistlock.com)