This is just a short blog post to announce the availability of the new CIS Security Standard for Docker 1.12 which NCC Group was involved in co-authoring and contributing to.
The Docker project (and containerisation as a concept in general) has become a hot topic in various aspects of IT over the last few years. With any relatively new technology that gets traction in larger organisations the question of “what is security best practice for this” gets asked quite a lot including by our customers. We’re going to side step the definition of security best practice other than to give a nod in the direction of practices based on science and expected security outcomes rather than theory.
Alongside NCC Group security research oriented efforts which look at Docker, such as Understanding and Hardening Linux Containers and Abusing Privileged and Unprivileged Linux Containers, we find it very useful to have security standards which can be referred to by various functions within risk, development, build and operations. The availability of these standards can inform but also provide playbook that can then be applied by organisations looking to implement Docker into their environment that may not be experts.
The CIS Security Standard for Docker, which is one of the main efforts in this space, has just been updated to cover the latest Docker release (1.12). NCC Group (myself and Jesse Hertz) were fortunate enough to be involved in helping update this document and expand its coverage to take account of some of the new features which were launched with this release.
The updated version includes coverage of the new Docker swarm clustering feature which allows for easy scaling of container services and also covers some of the new security controls such as PID cgroup support.
In general Docker provides a good starting point for security, the default installation choices are focused on providing an environment which works for the widest possible range of users. As such there are an increasing number of areas where changes to configuration are necessary if an organisation wants to focus on having a tightly security controlled container environment.
Reviewing and implementing the CIS Security guidelines can provide a higher level of security than the base install and with an active team working to maintain the standard, it should keep up with the rapid pace of development from the Docker project.
You can download the CIS Security Standard for Docker 1.12 here.
Written by Rory McCune
First published on 22/08/16