Which strategies will reduce the attack surface and enhance the security of the containers?
(Choose two.)
Use the containers to automate security deployments.
Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries.
Segregate container by host, function, and data classification.
Use Docker Notary framework to sign task definitions.
Enable container breakout at the host kernel.
Explanations:
While automating security deployments can enhance overall security practices, it does not directly reduce the attack surface of the containers. Instead, it focuses on operational efficiency rather than container-specific security measures.
Limiting resource consumption, networking connections, ports, and unnecessary container libraries directly reduces the attack surface by minimizing the potential attack vectors available to malicious actors. This practice helps in isolating the containers and preventing unwanted interactions with other parts of the system.
Segregating containers by host, function, and data classification helps to minimize exposure and potential attack vectors. This strategy creates boundaries, which can contain potential breaches and limit the impact on sensitive data and critical functions.
Using Docker Notary to sign task definitions improves integrity and verification of images but does not directly reduce the attack surface. Signing images is an essential security practice but does not prevent vulnerabilities or limit access to the container.
Enabling container breakout at the host kernel is a security risk that increases the attack surface, as it allows containers to escape their isolation and interact with the host system, potentially compromising the entire host and other containers.