Proper Docker container configuration is a good first step for security, but according to Twistlock CEO Ben Bernstein, it's not enough.
Twistlock today announced the general availability of its Container Security Suite, which aims to go beyond best practices configuration for security to provide improved runtime security.
"You should think of us as a traditional security technology for an environment where you run containers," Bernstein told eWEEK. "We're not saying that containers are insecure by nature; we're just adding more layers of security on top of what you already have."
There are multiple security controls and best practices for Docker container security, many of which are inherited from the Linux operating system on which Docker is deployed, including cgroups and namespaces, which provide isolation and control.
Twistlock is focusing on different areas of container protection, particularly the DevOps development lifecycle for continuous integration. "We do image hygiene and runtime protection," Bernstein said.
For the application image, Twistlock looks at multiple levels, including the file layer as well as the whole image in order to find potential risks. An application image is at some point deployed inside the Docker runtime environment, which presents an additional potential set of risks.
With containers, there is the ability to look into a service to make sure only authorized services are running, Bernstein said. Twistlock performs heuristics and dynamic profiling at runtime to identify potential risks. The runtime protection component of Twistlock's technology is linked to six pending patents that the company has developed.
"At runtime, we provide an active protection for containers," Bernstein said.
Twistlock looks at the resources being consumed by a container application, which include API processes that are spawned, as well as ports being opened. Twistlock, which is not an invasive technology, is not sitting in system memory and doesn't actually have a footprint in the actual container application that is being protected and scanned, Bernstein said.
"We're running as a dedicated privileged container on each host, and we're using the operating system to do profiling because, at the end of the day, containers are just processes," Bernstein said.
From an image hygiene perspective, in the open-source Docker community, there is the Notary project and the Content Trust initiative, which aim to provide validated and authenticated images for Docker. Content Trust debuted alongside the Docker 1.8.0 release in August.
"Notary is an awesome way to make sure there isn't a man-in-the-middle attack on an image," Bernstein said. "What might not be awesome is maybe the person that initially wrote the code made a mistake or there was some hygiene image with the original issue."
Twistlock is able to scan the image to determine the quality and if there is a potential vulnerability.
Twistlock is available for users of Google Cloud Platform as a service to protect the Google Container Engine. The technology can also can work with Amazon's container service, though Twistlock does not yet have a formal partnership with Amazon, Bernstein said. Twistlock also is currently available as a free trial for Docker container users to evaluate.
"The commercial model will be a yearly subscription," Bernstein said. "If you want to get it for free, we offer support for up to two hosts for free."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.