How to Layer Secure Docker Containers with Hardened Images

As organizations utilizing the cloud mature, they find more innovative and effective solutions for their workloads. Containerized applications offer portability, high efficiency, and faster app start-up. These are just a few reasons why Gartner reports that by 2023, “70% of applications deployed in the cloud will use containers as a packaging mechanism.” As we know, with innovation comes risk. Considering this, any cloud security professional understands it’s imperative to secure their container environments and utilize hardened images to reduce that risk.

The Center for Internet Security (CIS) offers CIS Hardened Images, which bring the globally recognized security configuration recommendations of the CIS Benchmarks to the cloud. This resource is a hardened virtual machine image available for operating systems, databases, web servers, and containers. The containerized CIS Hardened Images are built on provider based images via Docker. Docker, a self-contained software bundle, makes it easy for applications to run on multiple computing environments. CIS provides these containerized CIS Hardened Images in Amazon Web Services (AWS) Marketplace.

Secure Container Benefits

Container software, such as Docker, packages the application code with all of the other files and libraries an application needs to run, so it can easily move to other computing environments. The benefits of using these secure Docker containers include:

  • The ability to build and test applications quickly, benefitting DevOps and testing processes
  • Applications packaged in containers can easily swap in and out
  • Flexibility, cost-effectiveness, and ease of use

Although CIS builds using Docker, CIS container images will work with other container software.

CIS Hardened Images Built on Secure Docker Containers

CIS offers several hardened images layered on secure Docker containers in AWS Marketplace. These include versions of Amazon Linux, Ubuntu Linux, NGINX, and PostgreSQL. You can see the full list of CIS Hardened Images on the platform list on the CIS website.

These CIS Hardened Images on secure Docker containers in AWS Marketplace are:

  • Deployed quickly with pre-configured security
  • Easy to patch – take out the old layer and bring in the patched layer, test, and proceed or easily roll back if necessary
  • Cost effective – use only what you need, since AWS bills with a pay as you go model

Mapped to Regulatory Frameworks

The cybersecurity community recognizes the CIS Benchmarks and CIS Controls as industry standards for cyber protection around the world. What’s more, many industry frameworks reference CIS Benchmarks as an acceptable standard to help meet compliance. These frameworks include DoD STIGs, FedRAMP, DoD Cloud Computing SRG, HIPAA, PCI DSS, and NIST. By extension, CIS Hardened Images can help meet compliance to these frameworks.

Secure Your Cloud Workloads with CIS Hardened Images

CIS Hardened Images help organizations work securely and affordably in the cloud. CIS pre-configures these hardened images according to CIS Benchmark recommendations. To develop these consensus-based recommendations, CIS leads a community of cybersecurity experts.

These hardened images are more secure than standard images. They offer protection against malware, insu­fficient authorization, and remote intrusion in the cloud. They also offer reduced upfront hardware costs and savings on resource hours for maintenance. Every Hardened Image from CIS includes a CIS-CAT Pro report showing conformance to the CIS Benchmark.