What You Should Know About Container Security

The purpose of this presentation is to introduce the different options in securing a container and the host that the container is running on so that the audience will have an understand of container security and some of the tools available to secure their container environment Presentation is going to be divided into 4 parts.

The first part of the presentation will give an overview on what a container is and how Docker make it so popular as well as to introduce the container ecosystem especially all the Linux distributions that are tuned for running container with small footprint to minimize attack surface. Will explain the use of namespace, cgroup, root capabilities with seccomp and the use of Mandatory Access Control of SELinux and AppArmor for container security, tenant isolation in a host and the practice of the Least Privilege principle.

The second part of the presentation will explain the various external tools such as The Update Framework (TUF) which is the basis for Docker Content Trust, the use of digital digest for container image integrity and the various container scanning offerings from Red Hat, IBM and CoreOS. How LinuxKit is a major improvement to Docker container security. Finally for the second part the Intel Clear Container where hardware is used for container isolation.

The third part will touch on securing Micro-services with JSON Web Token for th inter pod/container communication as well as the open source project Calico to enhance Kubernetes Network Policy.

Automation is an important aspect for security and in the forth part of this presentation, there is a hand-on demo on how to use ansible-container to harden a container