Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker

Securing the software supply chain with Docker EE

Patrick van der Bleek, Solutions Engineer @Docker

2

DOCKER ENTERPRISE EDITION:Containers as a Service

3

THE MODERN SOFTWARE SUPPLY CHAIN

source/dependencies

build systems/engineers

network applicationrepository deployed

systems

4

THE SECURITY CHALLENGES

+ +Secure

PlatformSecure Content

Secure Access

Strong isolation and secure by default

Authentication, authorization and

access control

Content integrity and trust

• Does not hinder speed or creativity • Accelerate secure development

For Developers For IT ops

• Flexible and granular controls• Proactive risk management

Secure Platform

“Gartner asserts that applications deployed in containers are more secure than applications deployed on the bare OS.”

http://blogs.gartner.com/joerg-fritsch/can-you-operationalize-docker-containers/

7

CONTAINER ISOLATIONpid namespace

mnt namespace

net namespace

uts namespace

user namespace

pivot_root

uid/gid drop

cap drop

all cgroups

selinux

apparmor

seccomp

Secure by default

1. Out of the box default settings

and profiles

2. Granular controls to

customize settings

8

SECURE HOST CONFIGURATION

Ensure secure host configurationsAligned to recommendations in Center for Internet

Security’s Benchmark for Docker Engine 1.13/17.03Automates checking your host configs against the

benchmark recommendations

Easy to useAvailable to run as a container or using a Compose file

www.dockerbench.com

9

SECURE CLUSTER MANAGEMENT

• Least privilege orchestration• Cryptographic node identity• Out of the box TLS• Seamless PKI• Automatic cert rotation• External CA integration

ManagerNode

CertificateAuthority

TLS

ManagerNode


TLS

ManagerNode


TLS

Worker

TLS

Worker

TLS

Worker

TLS

Secure Content

11

• What is inside my container?

• How do I know where this code came from?

• How do I keep our team safe from bad components?

• How do I stay on top of patches for compliance and governance?

• How do I NOT make this a giant pain for everyone? (including myself)

COMMON QUESTIONS ON CONTENT SECURITY

12

SECURITY SCANNING OF IMAGES

Deep visibility with binary level scanningDetailed BOM of included components and vulnerability

profileChecks packages against CVE database AND the code

inside to protect against tamperingCovers wide range of languages, binaries, OS

Proactive risk management Continuous monitoring of CVE/NVD databases with

notifications pointing to repos and tags that contain new vulnerabilities

Secure the software supply chainIntegrated workflow with Docker Content TrustAvailable for Official Repos since Nov 2015

Sample Bill of Materials (BOM)

13

DOCKER CONTENT TRUST

14

DOCKER CONTENT TRUST: IMAGE FORGERY USECASE

15

DOCKER CONTENT TRUST: REPLAY ATTACKS USECASE

16

DOCKER CONTENT TRUST: COMPROMISED KEYS USECASE

17

DOCKER CONTENT TRUST: CHAIN OF TRUST

18

DOCKER CONTENT TRUST: ENFORCEMENT

• In UCP, can prevent running a container unless image signed by member of a designated team– Can require multiple teams’ signatures, or can allow any UCP user to sign

• Requires UCP user certificates for authentication– DTR sets up a Notary server– Initialize Notary repos with a UCP user’s client bundle public keys

Secure Access

20

ROLE BASED ACCESS CONTROLSet up options• LDAP/AD support• Built-in

Granular RBAC• Users and Teams• Roles• Permission labels

User Experience• Single sign on

21

ROLE BASED ACCESS CONTROL• Granular label-based RBAC for services and networks

– Works similarly to RBAC for containers (add ”com.docker.ucp.access.label”)– Control permission

• Protect system resources (UCP/DTR) from non-admins– UCP/DTR Containers, Networks, and Volumes are hidden from non-admins

22

SECRETS MANAGEMENT

WorkerWorker

Manager

Internal Distributed Store

Raft Consensus Group

ManagerManager

Worker

Web UI

• Encrypted at rest in the cluster store

• Encrypted while in motion on the network

• Delivered only to the exact authorized app

• Available to containers only in memory, never

saved to disk

23

THE SECURITY CHALLENGES

+ +Secure

PlatformSecure Content

Secure Access

Role based access control (RBAC)

AD/LDAP integration

Secrets Management

Docker Content Trust

Security Scanning

All available isolation and containment

Default security settings and profiles

Docker Bench

Swarm Node Identity

24

WHERE TO GO NEXT

• Learn More about Docker Enterprise Edition• https://www.docker.com/enterprise-edition

• Customer use cases • https://www.docker.com/customers

• Try Docker Datacenter free for 30 days • https://www.docker.com/eval

• Reference Architecture: Securing Docker EE and Security Best Practices• https://success.docker.com/Architecture

THANK YOU

26

LOREM IPSUM

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure

dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non

proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

27

LOREM IPSUM

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do

eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut

enim ad minim veniam, quis nostrud exercitation ullamco laboris

nisi ut aliquip ex ea commodo consequat.

Duis aute irure dolor in reprehenderit in voluptate velit esse

cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat

cupidatat non proident, sunt in culpa qui officia deserunt mollit

anim id est laborum.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do

eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut

enim ad minim veniam, quis nostrud exercitation ullamco laboris

nisi ut aliquip ex ea commodo consequat.

Duis aute irure dolor in reprehenderit in voluptate velit esse

cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat

cupidatat non proident, sunt in culpa qui officia deserunt mollit

anim id est laborum.

28

1 2 3 4

CHART EXAMPLE

One Two Three Four0%

20%

40%

60%

80%

100%

One

Two

Three

Four

CHART EXAMPLE

29

CHART EXAMPLE

0

1

2

3

4

5

6

One Two Three Four

Series 1 Series 2 Series 3

Lorem IpsumLorem ipsum dolor sit amet

Sed ut perspiciatis unde omnis

Sed ut perspiciatis unde omnis iste natus error sit

voluptatem accusantium doloremque laudantium,

totam rem aperiam, eaque ipsa quae ab illo inventore

veritatis et quasi architecto beatae vitae dicta sunt

explicabo.

Sed ut perspiciatis undeomnis

Sed ut perspiciatis unde omnis iste natus error

sit voluptatem accusantium doloremque

laudantium, totam rem aperiam, eaque ipsa

quae ab illo inventore veritatis et quasi

architecto beatae vitae dicta sunt explicabo.

Lorem ipsum dolor sit ametLorem ipsum dolor





















LOREM IPSUM DOLOR SIT AMETExcepteur sint occaecat cupidatat non proident













45

LOREM IPSUM

Sed ut perspiciatis unde omnis iste natus

error sit voluptatem accusantium

Eaque ipsa quae ab illo inventore veritatis

et quasi architecto beatae vitae dicta sunt

explicabo. Nemo enim ipsam voluptatem

quia voluptas sit aspernatur aut odit aut

fugit, sed quia consequuntur magni dolores

eos qui ratione voluptatem sequi nesciunt.

















LOREM IPSUM

Documents

Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker