Secure and Protect Docker Hosts with CyberArk

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Container technology has been instrumental in the transformation of application development and deployment, and Docker has held the pole position. The reasons include Docker’s ease of installation and use, and its ability to automate common tasks so developers can focus on what matters: building great software. Overall Docker adoption has surged 35% within the last 12 months which is a clear indication that developers see its value and significance. Container technology is very agile. It’s ingrained in the DevOps pipeline and woven into various cloud architectures. However, this technology does create a cause for concern for both developers and security practitioners alike, as it presents yet another platform to secure and protect. Adopting emerging technologies often make security an afterthought, and the modern use of containerization makes no exception.

Protect the host, protect the deployment

There are many moving parts that make up the Docker platform, but in this blog, I’ll focus on the Docker Host and the importance of keeping it protected. Within the Docker Host exist three primary components: the Docker daemon, containers and images. The Docker daemon is a service that runs on the host OS and manages both the containers and images. It looks out for API requests from Docker and also acts as the communication layer to manage other services within Docker (see Figure 1). Most companies have defined roles within the organization that provide wide-ranging levels of access to the Docker Host for a variety of usages (e.g. managing containers, creating new images and getting real-time events from the server).

Figure 1. Docker’s client-server architecture

Now, there are more than 50 commands that can run within the Docker command-line interface. Among them include the building images from a Dockerfile (docker build), the creation of a new container (docker create), and the ability to terminate one or more running containers (docker kill). Why is this important? Well, would you want every developer, DevOps or IT operations team member within your organization to have the ability to execute some of these potentially risky commands in your container environment? Probably not. Furthermore, there’s a significant privileged escalation risk that lies at the container level. If a user were able to compromise a root account, they’d have the potential to elevate privileges to gain access to the Docker Host which can be the first step prior to rolling out a full-fledged attack that could put all of the containers at risk.

A few best practices

By implementing the principle of least privilege as well as incorporating separation of duties (SoD) controls, you can protect your modern Docker infrastructure without negatively impacting business efficiency or increasing operational costs. With the introduction of the principle of least privilege, you’re reducing the overall need for root accounts for many different use cases, which in turn, improves your organization’s security posture. Take it one step further by installing CyberArk On-Demand Privileges Manager on every Docker Host. A set of role-based permissions can be established which will run only the minimum commands required to perform the necessary tasks that each user’s job function requires – and nothing more (see Figure 2).

Figure 2. Set policies to limit the actions of privileged users on Docker Hosts

These predefined commands can be set for use by specific groups or personas such as Docker Dev, Docker Ops and Docker Security. The policies can be defined via white-listing or black-listing to provide maximum flexibility in achieving your organization’s desired restriction level. All of the elevated commands can then be audited and monitored allowing security and auditing teams to gain full visibility into your organization’s activity. What if you need to allow root user access to the Docker Host in specific scenarios? It’s a best practice to first centrally manage the root credentials and then introduce an isolation layer between root users and the Docker Host to prevent credential hijacking. You can implement approval workflows and apply further restrictions on the root user’s activities as needed.

Tracking what a root or other power user is doing once they’ve opened a privileged session to the Docker Host is critically important. CyberArk can secure all of this access, record and log all of the activity that occurs, as well as alert on potential threats to your Docker Hosts. Moreover, with CyberArk Conjur you no longer have to guess what’s happening within your Docker Host and containers. Even with many containers being brought up and down in ephemeral environments, you can gain full control and audit over which secrets each container or application can access. Based on an enterprise policy, every container/host/application is allowed access only to authorized resources, using its own machine identity. Every access is audited, and you can see the Docker role groups fall under compliance. Additionally, you can see all of your Docker users connected live to the Docker Host, so your organization never has to go blind into containerization again.

These are just a few examples of how CyberArk solutions will bolster your container platform security. Arm your security team. Empower your developers. Find out more by contacting a CyberArk expert for a full product and solution demo.

The post Secure and Protect Docker Hosts with CyberArk appeared first on CyberArk.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About CyberArk
CyberArk is the only security company that proactively stops the most advanced cyber threats – those that exploit insider privileges to attack the heart of the enterprise. The company has pioneered a new category of targeted security solutions to lock down privileged accounts and protect against cyber threats before attacks can escalate and do irreparable business damage. CyberArk is trusted by the world’s leading companies – including more than 40 of the Fortune 100 – to protect their highest value information assets, infrastructure and applications, while ensuring tight regulatory compliance and audit requirements.
Promoted Content
Advanced cyber attacks involve compromised privileged accounts. Cyber attackers target them because they represent the keys to the IT kingdom. Effective enterprise security includes proactively protecting privileged accounts. Industry experts have identified practices that increase an organization’s vulnerability to a cyber attack. How many of these are common at your organization?

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?