Get Hands-On Experience with BoxBoat's Cloud Native Academy
Secure Your Enterprise Software With Docker Datacenter
by David Widen | Friday, Apr 7, 2017 | Docker Security
Deploying enterprise applications is very different today than it was even a few years ago. Organizations have migrated away from large, monolithic legacy applications towards distributed microservices. This paradigm shift not only complicates orchestration and deployment, but makes securing your applications both more complex and challenging. Securing these distributed microservices is of paramount importance. Every week, there is a new article about how another company was hacked and lost sensitive data to the detriment of their bottom line.
Docker Datacenter provides an integrated, end-to-end platform for agile application management that ships with several industry-leading security mechanisms to protect your applications and data. It deploys your Containers as a Service (CaaS) architecture on-premise or in the cloud, providing a centralized management console for ease-of-use. Today, it is the best stand-alone solution to secure your enterprise applications. It does this through several built-in components.
Docker Universal Control Plane
The Docker Universal Control Plane (UCP) is the enterprise solution for cluster management. It can be installed either on-premises, or inside your cloud infrastructure. It provides a graphical interface to securely manage your entire cluster from a single location. Specifically, you can manage applications, images, containers, networks, and volumes from a single interface. In addition, it fully supports the Docker API so you can introspect your cluster using tools that you are already familiar with.
UCP uses its own built-in authentication mechanism. In addition, it supports integration with LDAP and Active Directory. This allows UCP to easily integrate into your enterprise authentication solution. UCP also supports Role based Access Controls (RBAC). This allows your organization to specify who the authorized users are, and what actions they are able to take.
Docker Secrets Management
When you stand up Docker Datacenter, you get Docker Swarm working out of the box. Docker Swarm recently introduced native secrets management, a mechanism for you to securely deploy “secrets” (e.g. credentials or certificates) to your swarm containers.
Containers will often need to access other resources, such as a database. Since your database will have access credentials, you need to deploy those credentials to the container accessing it. You should not deploy those secrets as unencrypted strings in Docker-Compose or a Dockerfile. Deploying an unprotected key-value to serve sensitive information to containers is also an insecure solution.
Docker Datacenter provides lifecycle management and deployment of secrets through the user interface. It also supports access controls. Docker Datacenter will deploy secrets to each swarm's Internal Distributed Store via TLS. From there, manager nodes will securely deploy these secrets to any containers running on worker nodes at runtime.
Docker Trusted Registry
When your organization uses Docker Datacenter to manage application infrastructure, you get a Docker Trusted Registry (DTR) by default. This trusted registry is where your organization will store all of your Docker images used by your application and developer teams. Keeping the DTR internal and behind your firewall will protect it against external threats.
DTR uses the same authentication mechanisms as UCP (default Docker authentication, LDAP, and Active Directory). It also supports RBAC so you have fine-grained control over who has access to different sets of container. From a security standpoint, this means you have a firewall protected, private registry that uses an integrated authentication mechanism which reduces the number of weak passwords that have access to your system.
Docker Image Security Scanning
One of the hardest parts of securing an application is ensuring that all of the external code dependencies you use are free of exploits. As a software engineer, I can tell you that it is impossible to guarantee that code lacks vulnerabilities. However, the ability to automatically detect vulnerabilities and remove them from your code base is a very powerful feature. What is even more powerful is the ability to tag and blacklist binaries so that no applications will be built using this insecure code. Docker Datacenter does this.
DTR introduced a new feature that scans your dependencies and automatically detects known malicious code. Recall that a Docker container is built on multiple “image layers,” where a single “image layer” contains software dependencies. DTR will scan each of these “image layers,” and compare the binary signatures to those in the MITRE CVE database. If DTR finds any “image layers” that contain code referenced in this vulnerability database, it will tag any images associated with those “image layers” as being insecure. In addition, you can write a security policy such that no Docker container can be run if they do not pass their security scan.
Full Stack Security
Docker Datacenter, when used in conjunction with secure hardware and a secure public interface, provides full stack security for your distributed, microservice-based application. The native, built-in features of Docker Datacenter provide you with the following security mechanisms:
Every organization must protect their vital data and applications. Although no solution will completely protect you, Docker Datacenter's built-in, default software and configuration will provide superior security to protect your applications.