securing the software supply chain with docker ee · 2019-01-02 · securing the software supply...
TRANSCRIPT
Securing the software supply chain with Docker EE
Patrick van der Bleek, Solutions Engineer @Docker
2
DOCKER ENTERPRISE EDITION:Containers as a Service
3
THE MODERN SOFTWARE SUPPLY CHAIN
source/dependencies
build systems/engineers
network applicationrepository deployed
systems
4
THE SECURITY CHALLENGES
+ +Secure
PlatformSecure Content
Secure Access
Strong isolation and secure by default
Authentication, authorization and
access control
Content integrity and trust
• Does not hinder speed or creativity • Accelerate secure development
For Developers For IT ops
• Flexible and granular controls• Proactive risk management
Secure Platform
“Gartner asserts that applications deployed in containers are more secure than applications deployed on the bare OS.”
http://blogs.gartner.com/joerg-fritsch/can-you-operationalize-docker-containers/
7
CONTAINER ISOLATIONpid namespace
mnt namespace
net namespace
uts namespace
user namespace
pivot_root
uid/gid drop
cap drop
all cgroups
selinux
apparmor
seccomp
Secure by default
1. Out of the box default settings
and profiles
2. Granular controls to
customize settings
8
SECURE HOST CONFIGURATION
Ensure secure host configurationsAligned to recommendations in Center for Internet
Security’s Benchmark for Docker Engine 1.13/17.03Automates checking your host configs against the
benchmark recommendations
Easy to useAvailable to run as a container or using a Compose file
www.dockerbench.com
9
SECURE CLUSTER MANAGEMENT
• Least privilege orchestration• Cryptographic node identity• Out of the box TLS• Seamless PKI• Automatic cert rotation• External CA integration
ManagerNode
CertificateAuthority
TLS
ManagerNode
CertificateAuthority
TLS
ManagerNode
CertificateAuthority
TLS
Worker
TLS
Worker
TLS
Worker
TLS
Secure Content
11
• What is inside my container?
• How do I know where this code came from?
• How do I keep our team safe from bad components?
• How do I stay on top of patches for compliance and governance?
• How do I NOT make this a giant pain for everyone? (including myself)
COMMON QUESTIONS ON CONTENT SECURITY
12
SECURITY SCANNING OF IMAGES
Deep visibility with binary level scanningDetailed BOM of included components and vulnerability
profileChecks packages against CVE database AND the code
inside to protect against tamperingCovers wide range of languages, binaries, OS
Proactive risk management Continuous monitoring of CVE/NVD databases with
notifications pointing to repos and tags that contain new vulnerabilities
Secure the software supply chainIntegrated workflow with Docker Content TrustAvailable for Official Repos since Nov 2015
Sample Bill of Materials (BOM)
13
DOCKER CONTENT TRUST
14
DOCKER CONTENT TRUST: IMAGE FORGERY USECASE
15
DOCKER CONTENT TRUST: REPLAY ATTACKS USECASE
16
DOCKER CONTENT TRUST: COMPROMISED KEYS USECASE
17
DOCKER CONTENT TRUST: CHAIN OF TRUST
18
DOCKER CONTENT TRUST: ENFORCEMENT
• In UCP, can prevent running a container unless image signed by member of a designated team– Can require multiple teams’ signatures, or can allow any UCP user to sign
• Requires UCP user certificates for authentication– DTR sets up a Notary server– Initialize Notary repos with a UCP user’s client bundle public keys
Secure Access
20
ROLE BASED ACCESS CONTROLSet up options• LDAP/AD support• Built-in
Granular RBAC• Users and Teams• Roles• Permission labels
User Experience• Single sign on
21
ROLE BASED ACCESS CONTROL• Granular label-based RBAC for services and networks
– Works similarly to RBAC for containers (add ”com.docker.ucp.access.label”)– Control permission
• Protect system resources (UCP/DTR) from non-admins– UCP/DTR Containers, Networks, and Volumes are hidden from non-admins
22
SECRETS MANAGEMENT
WorkerWorker
Manager
Internal Distributed Store
Raft Consensus Group
ManagerManager
Worker
Web UI
• Encrypted at rest in the cluster store
• Encrypted while in motion on the network
• Delivered only to the exact authorized app
• Available to containers only in memory, never
saved to disk
23
THE SECURITY CHALLENGES
+ +Secure
PlatformSecure Content
Secure Access
Role based access control (RBAC)
AD/LDAP integration
Secrets Management
Docker Content Trust
Security Scanning
All available isolation and containment
Default security settings and profiles
Docker Bench
Swarm Node Identity
24
WHERE TO GO NEXT
• Learn More about Docker Enterprise Edition• https://www.docker.com/enterprise-edition
• Customer use cases • https://www.docker.com/customers
• Try Docker Datacenter free for 30 days • https://www.docker.com/eval
• Reference Architecture: Securing Docker EE and Security Best Practices• https://success.docker.com/Architecture
THANK YOU
26
LOREM IPSUM
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure
dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non
proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
27
LOREM IPSUM
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do
eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut
enim ad minim veniam, quis nostrud exercitation ullamco laboris
nisi ut aliquip ex ea commodo consequat.
Duis aute irure dolor in reprehenderit in voluptate velit esse
cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat
cupidatat non proident, sunt in culpa qui officia deserunt mollit
anim id est laborum.
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do
eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut
enim ad minim veniam, quis nostrud exercitation ullamco laboris
nisi ut aliquip ex ea commodo consequat.
Duis aute irure dolor in reprehenderit in voluptate velit esse
cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat
cupidatat non proident, sunt in culpa qui officia deserunt mollit
anim id est laborum.
28
1 2 3 4
CHART EXAMPLE
One Two Three Four0%
20%
40%
60%
80%
100%
One
Two
Three
Four
CHART EXAMPLE
29
CHART EXAMPLE
0
1
2
3
4
5
6
One Two Three Four
Series 1 Series 2 Series 3
Lorem IpsumLorem ipsum dolor sit amet
Sed ut perspiciatis unde omnis
Sed ut perspiciatis unde omnis iste natus error sit
voluptatem accusantium doloremque laudantium,
totam rem aperiam, eaque ipsa quae ab illo inventore
veritatis et quasi architecto beatae vitae dicta sunt
explicabo.
Sed ut perspiciatis undeomnis
Sed ut perspiciatis unde omnis iste natus error
sit voluptatem accusantium doloremque
laudantium, totam rem aperiam, eaque ipsa
quae ab illo inventore veritatis et quasi
architecto beatae vitae dicta sunt explicabo.
Lorem ipsum dolor sit ametLorem ipsum dolor
Sed ut perspiciatis undeomnis
Sed ut perspiciatis unde omnis iste natus error
sit voluptatem accusantium doloremque
laudantium, totam rem aperiam, eaque ipsa
quae ab illo inventore veritatis et quasi
architecto beatae vitae dicta sunt explicabo.
Lorem ipsum dolor sit ametLorem ipsum dolor
Sed ut perspiciatis undeomnis
Sed ut perspiciatis unde omnis iste natus error
sit voluptatem accusantium doloremque
laudantium, totam rem aperiam, eaque ipsa
quae ab illo inventore veritatis et quasi
architecto beatae vitae dicta sunt explicabo.
Lorem ipsum dolor sit ametLorem ipsum dolor
Sed ut perspiciatis undeomnis
Sed ut perspiciatis unde omnis iste natus error
sit voluptatem accusantium doloremque
laudantium, totam rem aperiam, eaque ipsa
quae ab illo inventore veritatis et quasi
architecto beatae vitae dicta sunt explicabo.
LOREM IPSUM DOLOR SIT AMETExcepteur sint occaecat cupidatat non proident
Sed ut perspiciatis undeomnis
Sed ut perspiciatis unde omnis iste natus error
sit voluptatem accusantium doloremque
laudantium, totam rem aperiam, eaque ipsa
quae ab illo inventore veritatis et quasi
architecto beatae vitae dicta sunt explicabo.
Sed ut perspiciatis unde omnis iste natus error
sit voluptatem accusantium doloremque
laudantium, totam rem aperiam, eaque ipsa
quae ab illo inventore veritatis et quasi
architecto beatae vitae dicta sunt explicabo.
Sed ut perspiciatis undeomnis
45
LOREM IPSUM
Sed ut perspiciatis unde omnis iste natus
error sit voluptatem accusantium
Eaque ipsa quae ab illo inventore veritatis
et quasi architecto beatae vitae dicta sunt
explicabo. Nemo enim ipsam voluptatem
quia voluptas sit aspernatur aut odit aut
fugit, sed quia consequuntur magni dolores
eos qui ratione voluptatem sequi nesciunt.
Sed ut perspiciatis unde omnis iste natus
error sit voluptatem accusantium
Eaque ipsa quae ab illo inventore veritatis
et quasi architecto beatae vitae dicta sunt
explicabo. Nemo enim ipsam voluptatem
quia voluptas sit aspernatur aut odit aut
fugit, sed quia consequuntur magni dolores
eos qui ratione voluptatem sequi nesciunt.
Sed ut perspiciatis unde omnis iste natus
error sit voluptatem accusantium
Eaque ipsa quae ab illo inventore veritatis
et quasi architecto beatae vitae dicta sunt
explicabo. Nemo enim ipsam voluptatem
quia voluptas sit aspernatur aut odit aut
fugit, sed quia consequuntur magni dolores
eos qui ratione voluptatem sequi nesciunt.
LOREM IPSUM