Symantec DCS – Docker Container Security


The Challenge

Organizations which employ containerization practices within a production DevOps framework often face changes in the security paradigm versus a more traditional, persistent and amalgamated environment.   Modularity and flexibility are often key attributes of a successful containerization framework.   Containerization practices have implications on change control and rollout regarding appropriate implementation of security controls and response measures–particularly when employed within the practices and principle of DevOps.

The Solution

The modularized nature of a containerization framework (such as Docker) lends itself very well to DevOps principles. It allows a simplified and highly managed control of configuration, alteration and release cycles of code through the environment. This release management framework introduces opportunities where an “immutable” system state for production assets becomes feasible.  Additionally, since the containers invariably encapsulate the entirety of the application space and its required dependencies, a very high degree of consistency is typically achievable (and desired) for the underlying operating system builds.  This framework allows for very low-cost and rapid staging of both operating system environments AND application spaces.  It also changes the equation somewhat when it comes to SECURING these spaces.

For Symantec DCS, this capitalizes on two capabilities which together work very well with this dynamic – namely: Protected Whitelist Prevention Policies and Custom Prevention Policies.

The standardized and generally immutable nature of production Operating system instances in a DevOps framework means that a policy that is assigned to the operating system can, in fact be very, very tightly configured with regard to its controls. The Operating System instance itself will not change once it is delivered, AND the instance is typically very basic with regard to its constituent components.  Therefore, two of the major factors in governing policy strength are largely offset in this realm; and a far stronger policy can be maintained than otherwise.  Whitelist policies start to become more practical here.

Symantec DCS Docker Security

 

Additionally, the encapsulated and well-defined nature of the associated application container being applied atop this environment serves as a PERFECT template for defining a corresponding Custom Prevention Policy, which would likewise be laid atop the underlying protected whitelist policy. The associated application container provides a modularized prevention strategy that aligns very nicely with this overall operating framework, while simultaneously delivering an exceptionally strong security control into the environment.

The Impact

Leveraging either SDCS:SA or SES:CSP requires installation of the Agent on your protected asset, with the availability of a management server and database for initial agent configuration file and policy baselining for unmanaged agents.  When utilizing fully managed agents, the option optionally of enhanced reporting services (such as NorthStar’s SOLVE solution) may and often are also implanted to enable more tailored visibility onto the environment.  In each case, the Agent is a small footprint of 100MB free space and 256MB of RAM to install and run. DCSS:A is available for current releases of AIX, Red Hat, Ubuntu, SUSE, Debian, Oracle Linux, and Windows releases from NT 4.0sp6a through to current releases of Windows 10 and Windows server 2016.

Additionally, Windows embedded platforms ranging from XP Embedded through to Windows 10 IOT are also supported with the latest releases of SES:CSP.  The unified management server ideally will support a minimum of 8GB of RAM, 4 CPU threads and 60GB of free disk space, and will have access to a MSSQL database instance to host the Management and Reporting database.  Once installed and profiled, the agent will be protected by the configured security policy, and will typically require minimal (if any) adjustments to the finalized policy as long as the underlying system software configuration or behavior does not change.  Once the policy is configured to work with your systems, the security delivered by that policy will remain consistent for the remainder of the life of the protected asset, barring introduction of new functions, applications or configurations.

 

For questions about how NorthStar can help with your Symantec DCS environment, please contact us via your favorite form of communication:

Email: connect@northstar.io  |   Phone: 312-421-3270  | Server Security