At DockerCon 2016, held in Seattle, USA, Aaron Grattafiori presented “The Golden Ticket: Docker and High Security Microservices”. Core recommendations for running secure container-based microservices included enabling User Namespaces, configuring application-specific AppArmor or SELinux, using an application-specific seccomp whitelist, hardening the host system (including running a minimal OS), restricting host access and considering network security.
Grattafiori, Technical Director at NCC Group and author of “Understanding and Hardening Linux Containers” (PDF), began the talk by introducing the principles of defense in depth, which consists of a presenting a layered defense, and shrinking attack surfaces and hardening those that remain. Although microservices may add overall complexity to a system architecture (particularly when operated at scale), the fact that they can be implemented to not present a single point of security failure provides an advantage over a typical monolithic application.
The principle of least privilege, e.g. not running an application process as root, is vitally important to securing a system.
Read more at InfoQ