AndreasG - Fotolia


Container auditing best practices for large-scale deployments

Container auditing and reporting are essential security and compliance measures in a production environment. Apply these practices to uncover abnormalities, control user access and choose the right tool.

Container management at scale is a complex issue. A large production environment, coupled with the short-lived and dynamic nature of Docker instances, makes reporting and auditing an especially difficult task. These practices are critical, however, to ensure a secure and compliant IT deployment.

Manual container management and auditing practices simply will not scale. That said, administrators can apply some key practices from the VM world to shape container auditing best practices:

  • Track and report on a macro level -- resource consumption and usage volume, for example.
  • Detect deviations on both a container and host level.
  • Respond to deviations automatically.
  • Conduct post-mortems.

Look for abnormalities

In a live environment, unexpected behavior is bad. Bad, however, is relative. Sometimes it's just a corrupted container -- in which case, admins can just destroy and redeploy. But it also can be a compromised host or container. Knowing the difference defines the appropriate response.

Most auditing systems for containers will look at any file system differences, including any departures from the golden image. They will also identify changes in the data ingress and egress profiles of the container, including the data sent out, ports used and the location of the host with which the container communicates.

An occurrence of these events signals nonconformity, which suggests a system has been compromised in some way. At this point, an auditing tool isolates the container automatically to preserve it for digital forensics.

However, the ability to isolate a container automatically is an advanced concept and uses technologies such as microsegmentation. VMware NSX, which offers microsegmentation with software-defined networking, isn't a container tool exclusively, but it is an example of a technology that identifies anything nonconformant and isolates it immediately from a network.

One positive aspect of containers is that their configuration should be consistent. There should be no configuration changes during the initial boot. If you have a container on your desktop, for example, the first boot should be identical to the hundredth boot. Changes are highly undesirable and aren't associated with well-designed, enterprise-class containers. If a file changes, there is no way to ensure that the layout is as intended. Also, changes in the container build might not sit well with security software that sees changes between boots as a potential indication of unauthorized action.

Highlight access control

Container auditing best practices should also focus on access to the container environment. Just like compromised containers, poor access control can cause security and compliance issues. Role-based access control (RBAC) is key to managing who has access to what elements in the deployment.

One positive aspect of containers is that their configuration should be consistent.

For example, developers shouldn't be able to add additional resources or modify network configurations, and sys admins shouldn't deploy new Docker images into the repositories.

Docker Enterprise provides a control plane to enable RBAC monitoring and management to avoid unauthorized access. Auditors love to see access control in action -- and in reporting.

Weigh tool options

Most IT auditing and reporting tools integrate tightly with the major cloud container platforms, such as those from AWS, Google and Microsoft Azure. Make sure the tool not only supports your organization's container platform of choice, but meets its present -- and future -- needs. Prioritize multi-platform support to avoid having to change tools down the road.

Some examples of auditing and reporting tools that are at home in the container market include Twistlock, Datadog, and Aqua.

Each has its own range of options, but they all center on monitoring and anomaly detection. Many also support reporting related to RBAC. Before choosing one, understand the pricing model of these tools, as well as if they come as a SaaS or alternate deployment method.

Start early

Access control and anomaly detection are two prominent container auditing best practices, but there are many additional things to consider, including build management and testing in development. Make container reporting a day-one requirement to ensure intelligent protection against deviation from normal state.

Next Steps

How do I audit a Kubernetes environment?

Cut down on containerized environment complexity

Dig Deeper on Containers and virtualization

Software Quality
App Architecture
Cloud Computing
Data Center