Gartner Research

Security Considerations and Best Practices for Securing Containers

Published: 10 November 2016

ID: G00314053

Analyst(s): Neil MacDonald

Summary

OS containers are not inherently unsecure, but are being deployed unsecurely, driven by developers and a need for agility in service development and deployment. Security and risk management leaders must address container security issues around vulnerabilities, visibility, compromise and compliance.

Table Of Contents
  • Key Challenges

Introduction

Analysis

  • Set Standards for the Minimal and Hardened OS Kernel
  • Enforce Separation of Duties, Fine-Grained Authorization Throughout Container Life Cycle
  • Scan Containers in the Development Process
  • Scan Container Repositories Continuously
  • Pressure All Security Vendors to Become Programmable via APIs and to Explicitly Support CI/CD Toolchains
  • Apply Full Audit Control, Version Control and Integrity Checking on Containers and Scripts
  • Pressure Cloud Workload Protection Platform Vendors to Support Containers
  • Disable Antivirus and Adopt Application Control Whitelisting
  • Configure Containers for Default Deny for Network Isolation, but Move Beyond Manual Iptable Configuration
  • Adopt an Immutable Infrastructure Mindset
  • Adopt a Systematic Workload Reprovisioning Strategy for the Long Term
  • Use VMs or Physical Hardware for Strong Isolation Until Your Enterprise Container Security Processes Mature

Gartner Recommended Reading

©2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see Guiding Principles on Independence and Objectivity.

Already have a Gartner Account?

Purchase this Document

To purchase this document, you will need to register or sign in above

Become a client