Skip to content ↓ | Skip to navigation ↓

An effective container security strategy consists of many parts. Organizations should first secure the build environment using secure code control along with build tools and controllers. Next, they should secure the contents of their containers using container validation, code analysis and security unit tests. Finally, they should develop a plan to protect their containers in production systems by focusing on runtime security, platform security and orchestration manager security.

But container security doesn’t end there. An effective security program consists of two other items, as well. These are monitoring and auditing.


All the container security processes mentioned above employ preventative security controls. These measures address known attack vectors with well-understood responses like vulnerability scans and encryption. But those and other security practices can only go so far, for they are designed to solve known issues. When it comes to detecting unexpected concerns, organizations can turn to monitoring to discover the unexpected stuff, track events in the environment and detect what’s broken.

Most monitoring tools begin by collecting events like requests for hardware resources and IP-based communication. They then examine them relative to the organization’s security policies. Towards this end, it’s best to use a monitoring solution that combines deterministic white and black list policies with dynamic behavior detection. This gives organizations the best of both worlds, allowing them to detect simple policy violations and unexpected variations.

For organizations to evaluate a monitoring tool, they should look to the following criteria:

  • Deployment model: How does the product collect events? Does it use an agent embedded in the host operating system or a privileged container-based monitor?
  • Policy management: How easy is it to build new policies or modify existing ones?
  • Behavioral analysis: What behavioral analysis options are there? How flexible are they?
  • Activity blocking: Does the solution provide the ability to block requests or activity? This type of feature can block policy violations and ensure approved container behavior. That being said, mistakes might cause applications to malfunction.
  • Platform support: What operating systems does it support?


Auditing is another essential element of container security. That’s because audit and compliance teams have specific concerns relating to an organization’s container. They want to know, for example, what admins have access to management functions or which containers have access to regulated data. Oftentimes they also like to know how containers are segregated and whether it’s possible to demonstrate the process for addressing common vulnerabilities.

Organizations can answer the above questions using operational logs, configuration data and process documents. But the challenge is to map those controls and reports into new environments like the cloud and container orchestration managers where application now exist as micro-services on short-lived servers. Indeed, using IP addresses and application event logs don’t always provide needed reference points. As a result, organizations will need to adjust many reports to reflect the changes in the environment. Simultaneously, they can then leverage monitoring activity at the API/application layer to gain complete visibility of system activity.

A Complete Container Security Strategy

Monitoring and auditing mark the final elements of a complete container security strategy. Tripwire’s eBook The Complete Guide to Container Security covers other elements and the security controls needed to fulfill them. Download your copy today to learn more.