Docker containers help software developers build applications more quickly and deploy them more flexibly. Containers can also help developers make software more secure.
Automatic analysis of the software components that go into containers, behavioral policies that span container clusters and multiple application versions, and innovative new developments in tracking and managing vulnerability data are just some of the ways containers are bolstering security for the entire application lifecycle.
How much of this comes out of the box, though, is another story. Docker and container management systems such as Kubernetes provide the basics, but not always more than that, leaving more advanced security monitoring and enforcement to third-party tools.
Here are seven recently revamped container security products and services that bring capabilities like vulnerability detection, compliance checking, whitelisting, firewalling, and runtime protections to containers, both in the cloud and in your own data center.
Aporeto
Aporeto focuses on runtime protection, similar to the NeuVector product discussed below. The company provides a microservices security product to secure Kubernetes workloads and a cloud-network firewall system to secure apps running in distributed environments.
With Kubernetes workloads, Aporeto protects both on-prem and managed environments (e.g., Google Kubernetes Engine). Every created resource is assigned a service identity that is used to ensure that the chain of trust around the app isn’t broken. The service identity is used, among other things, to enforce declared application behaviors regardless of where pods for the application actually live.
Pricing for Aporeto is available on request after registering for an account. A free evaluation is available for 30 days.
Aqua Container Security Platform
Aqua Container Security Platform provides compliance and runtime security for both Linux containers and Windows containers.
The end-to-end container security manager allows admins to apply security policies and risk profiles to applications, and associate those profiles with different application build pipelines. Image scanning can be integrated with build and CI/CD tools.
Aqua Container Security Platform also lets admins use application contexts to segment networks for applications at runtime. The Aqua platform works with secrets management tools like Hashicorp Vault, and it supports the Grafeas API for accessing metadata from software components. The Aqua platform can record any vulnerability information it finds in an application’s Grafeas store, and Aqua policies can make use of Grafeas definition data for security incidents and software issues.
Aqua Container Security Platform is available for on-prem or in-the-cloud deployment. Free trial or open source versions are not available, but Aqua has released a number of open source tools derived from the platform.
Atomic Secured Docker
Atomic Secured Docker is an alternative Linux kernel for Ubuntu, CentOS, and Red Hat Enterprise Linux that makes use of a number of hardening tactics to offset potential attacks. Many of the protections, like hardened permissions for userland memory, are derived from Atomicorp’s general line of secure-kernel products. Others, like container breakout protection, are designed specifically for Docker.
Atomic Secured Docker is available through direct purchase. Versions for AWS-hosted CentOS and Azure-hosted CentOS and Ubuntu are available in the AWS and Azure marketplaces.
NeuVector
NeuVector is designed to secure an entire Kubernetes cluster. It works with existing Kubernetes management solutions like Red Hat OpenShift and Docker Enterprise Edition, and is designed to protect applications at all stages of a deployment, from development (by way of a Jenkins plug-in) into production.
Like many other solutions here, NeuVector is deployed as a container into an existing Kubernetes cluster, rather than by modifying existing code. When NeuVector is added to a cluster, it discovers all of the hosted containers and generates maps that detail connections and behaviors. Any changes caused by apps ramping up or down are detected and taken into account, so that real-time scans for threats (including container break-outs or new vulnerabilities) are still effective.
Pricing for NeuVector is based on the number of running Docker hosts, starting at $9,950 per year. A free trial is available.
Sysdig Secure
Sysdig Secure provides a set of tools for monitoring container runtime environments and obtaining forensics from them. Sysdig Secure is intended to run hand-in-hand with Sysdig’s other instrumentation tools, such as Sysdig Monitor.
Policies for the environment can be set and enforced per application, per container, per host, or per network activity. Any events tracked by Sysdig Secure can be viewed by host or container or through the lens of the orchestrator (typically Kubernetes). The command history of every container can be logged and examined, and general forensics across the cluster can be recorded and played back in a manner similar to Twistlock’s “incident explorer” feature.
Sysdig Secure is available only as a paid offering from Sysdig, with both cloud and on-prem editions available.
Tenable.io Container Security
Tenable.io Container Security focuses on providing devops teams with visibility into container security during the build process, rather than after the fact in production.
Container images are scanned at build time for malware, vulnerabilities, and policy compliance. If an image, or any element in an image, throws up a red flag, the developer is notified of the nature of the problem and its exact location—for instance, the specific layer of a multi-layer image—so it can be fixed quickly on the next push.
Tenable.io Container Security works with most common CI/CD build systems and container image registries, and provides a dashboard view of the current state of all running container images, policy enforcement status, and repository behaviors.
Pricing for Tenable.io Container Security is available on request. A free trial is available for 60 days.
Twistlock
Twistlock adds numerous security controls for containers that aren’t covered by “core” container products like Docker Enterprise. Some of those features include:
- Compliance controls for enforcing HIPAA and PCI rules on containers.
- Compliance alerting for build tools like Jenkins.
- Firewalling for cloud-native applications.
- Runtime attack protection for containers based on analysis of valid and invalid container behavior.
- Support for Kubernetes’s CIS Benchmark, so that a Kubernetes-managed deployment can be checked against a set of common criteria for securing Kubernetes.
Twistlock 2.5, released in August 2018, adds new forensic analysis techniques that reduce runtime overhead (e.g., storing pre-incident and post-incident container state information outside the container itself); enhancements to the live visualization tools for mapping namespaces, pods, and containers; and defenses for serverless computing systems as well.
Twistlock is available in a for-pay enterprise edition. A free 30-day trial version was offered at one point but has been discontinued.