docker security deep dive · • “docker enterprises makes working with containers easy”:...
TRANSCRIPT
Docker Security Deep Dive
• A Leader: Docker named a leader among eight vendors in the Enterprise Container Platform market.
• “A robust container platform”: Docker Enterprise Platform received a differentiated rating, the highest rating possible, in eight criteria - including runtime and orchestration, security features, image management, user experience, integration and APIs, vision and more.
• “Docker Enterprises makes working with containers easy”: Docker’s customers also highlight end to end image security, support for Windows and support expertise
• Forrester’s Assessment: Docker “leads the pack with a robust container platform well-suited for the enterprise.”
Docker Enterprise “leads the pack” in Forrester New Wave™: Enterprise Container Platform report
The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave™. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.
What are the analysts saying?
Containers abstract applications from infrastructure
• Eliminates the “works on my machine” problem
• Containers packages code and dependencies together into an isolated process
• Containers standardize any workload: legacy, microservices, ISV apps (Windows and Linux)
• App configurations “travel” with the app, are not built to the infrastructure
• Easy app composition of simple to complex apps with security, networks, storage, env variables, ports
Container architecture provides infrastructure agnostic packaging and tooling
Host OS
Docker Enterprise
ContainerApp A
Bins/Lib
Linux Mainframe AWS Azure OtherPublic CloudsWindows
ContainerApp B
Bins/Lib
ContainerApp C
Bins/Lib
ContainerApp D
Bins/Lib
ContainerApp E
Bins/Lib
The first and only container runtime with FIPS validated cryptography
Docker awarded FIPS 140-2 validation
Security concerns and mitigations
Source code and CI/CD environment
• Often the least secure environment
• Developers don’t like getting bogged down with security
• Results in insecure coding practices
• Vulnerabilities often exist in CI/CD processes
Leverage a secure and automated software supply chain
• Establish chain of trust with apps as they move across environments
• Digitally sign containers and only run verified containers
• Freshness guarantee ensures no tampering and latest container is running
• Automate workflow with immutable repos and automated image promotion
Docker image CI/CD workflow example
OS-level protections
• OS compromise can result in compromise of container platform• Using Docker containers reduces the need for a full-fledged, general-purpose
OS− Use a minimal, optimized OS for Docker
• Leverage security profiles− Defaults provided for SELinux, Seccomp, AppArmor
• OS hardening− CIS Benchmarks, STIGs
Kernel isolation - Linux
• Namespaces• Control groups
Kernel isolation - Windows
• Silos• Job objects• Syscall filtering• Sandboxing
Infrastructure-level protections
• Identify the protections provided by your datacenter provider or cloud service provider
− Host firewalls & port filters− Web-application firewalls− Network logging & alerting
• Physically and logically segment your infrastructure• Create clear IAM policies and limit responsibility
Docker images
• Manage your application dependency supply-chain• Images should only include only runtime application dependencies
− No debugging tools− No source, unless required
• Start with the smallest possible base image (e.g. Alpine, nanoserver, etc)• Scan images for vulnerabilities• Leverage Docker Content Trust integrity checking mechanisms• Use trusted, Docker Certified base images• Avoid running containers as root
− Fully rootless containers available since February 2019
Threat Mitigation: Scan Container Images for VulnerabilitiesSECURITY
• Reduce risk by identifying security issues early
• Stop automation workflows when security issues discovered
• Ensure compliance with alerts for new vulnerabilities
KEY BENEFITS
• Integrated security scanning and vulnerability monitoring with customized alerts
• Binary level scanning provides deep visibility into all components
FEATURE / CAPABILITY
Threat Mitigation: Audit All Image Layers and Components SECURITY
• Ensure compliance with an audit log of all application dependencies
• Track supporting library versions and licenses
KEY BENEFITS
• Get a full Bill of Materials for all of your Docker images that details all application and library dependencies
• Detailed visibility of all Layers including those from Base Images
FEATURE / CAPABILITY
Fine-Grained Control Over Image Scanning ResultsSECURITY
• Align the image scanning rules to your organization’s criteria
• Gain control over scanning results that can be ignored
KEY BENEFITS
• Admins have ability to hide specific vulnerabilities that have been cleared by your organization
FEATURE / CAPABILITY
Docker runtime security
• Running apps in Docker containers is only going to enhance security posture and not take away from it
• The OCI container runtime standard has matured• Docker daemon vulnerabilities are few and far between
− Dedicated security team for receiving and triaging CVEs• Container breakout is increasingly rare and incredibly difficult
− Focus on where the vulnerabilities are much more likely to occur (e.g. untrusted Docker images, source code, etc)▪ AppSec is always the first class concern
• Remain privy to Docker container runtime properties (e.g. published ports, device/filesystem access, etc)
• Leverage FIPS mode in Docker Engine - Enterprise 18.03+
Enhanced runtime isolation technologies on Linux - AWS Firecracker
• Implements a virtual machine monitor (VMM) that uses KVM
• Creates and manages microVMs• containerd integration• Docker integration via Kata
Enhanced runtime isolation technologies on Linux - Kata Containers
• Combines Intel Clear Container and Hyper runV technologies• Supports multiple hypervisors (QEMU/KVM, Firecracker)
Enhanced runtime isolation technologies on Linux - gVisor
• User-space kernel• Implements large portion of Linux system surface• Includes OCI runtime called runsc and integrates with Docker and Kubernetes• Intercepts application system calls and acts as the guest kernel, without need
for translation through virtualized hardware• Rule-based execution for defense-in-depth
Enhanced runtime isolation on Windows - Hyper-V isolation
• Orchestration security has drastically improved over the last few years− Kubernetes has its own thriving security community and vulnerability
management• Orchestration = lots of “dials and knobs”. It can be easy to misconfigure this
complexity• Leverage application service mesh and identity paradigms on top of Docker
(e.g. Istio, SPIFFE, etc)− Istio support in Docker EE announced DockerCon 2019− Service mesh works with orchestrator to enforce authZ and network
policy• Take advantage of Docker Secrets for store sensitive application data (e.g.
DB connection strings, API tokens, etc)
Orchestration
Secrets managementSECURITY
WorkerWorker
Manager
Internal Distributed Store
Raft Consensus Group
ManagerManager
Worker
External App
Web UI
• Management– Admins can add/remove/list/update
secrets in the cluster– Exposed to a container via a
”/secrets” tmpfs volume on Linux– Requires Bitlocker on Windows
Server 2016• Authorization
– Tag secrets to a specific service– Admins can authorize secrets access
to users/teams via RBAC• Rotation
– Use GUI to update a secret to all containers in a service
• Auditing– Each user request for secret access
logged in cluster for auditing
List of Docker Enterprise certifications and accreditationsAs of May 2019
• FIPS 140-2 (Level 1) - Docker Engine - Enterprise Cryptography Modules are FIPS validated (Certificate #3304)
• DISA STIG for Docker Enterprise - In process (~Q2 2019)• Multiple Federal agency ATOs in place for Docker Enterprise
o FISMA Moderate and Higho DoD Impact Levels (IL) 2 and 4-6
• CJIS compliance• Certificate to Field for Docker Enterprise on JIDO SLAN - CI-0717-0002
o Based on DOD RMF (DoDI 8510.01)
FIPS mode in Docker Engine - Enterprise
• The Docker Enterprise Edition Crypto Library v1.0 module has been validated by the NIST Cryptographic Module Validation Program (CMVP)
− https://www.prnewswire.com/news-releases/docker-awarded-fips-140-2-validation-by-the-national-institute-of-standards-and-technology-nist-300741000.html
− https://blog.docker.com/2018/10/docker-achieves-fips-140-2-validation/• Docker Engine - Enterprise v18.03+ supports “FIPS Mode”• The only container runtime with FIPS validated cryptography• Both UCP and DTR will incorporate this crypto module and be included as part of a separate revalidation effort in 2019
Continuous compliance and risk management with OSCAL
• Standardized reporting against any security control catalogs and benchmarks (e.g. NIST 800-53, PCI DSS, etc)
• Audit and enforcement of security settings
FEATURE
• Continuously compliant applications and container platform
• Better alignment of risk management practices to containers
BENEFITS
Docker EnterpriseCatalogs and
profiles in OSCAL format
Automated Assessment
Automated Enforcement
Standardized reporting in OSCAL format
Docker + NISTCollaborating to bring containers to the forefront of technology standards
• Delivering the first FIPS 140-2 validated crypto as part of a container runtime and platform
• A lead contributor to the Open Security Controls Assessment Language (OSCAL)o https://blog.docker.com/2018/05/automating-compliance-docker-ee-oscal/o New standard in development to significantly reduce regulatory IT compliance burden
• Contributor to NIST SP 800-190 Application Container Security Guide
• Joint work on Trusted Geolocation project as a NIST NCCoE Partner o Supporting the development of an upcoming NIST SP 1800-series publications
• (ISC)2 Certified Authorization Professional (CAP) on Docker staff aligning container technologieso To FISMA requirements and streamlining Federal ATO processes, ando Mapping applicable NIST 800-53 security controls to Docker Enterprise and container properties
• Authored IEEE-accepted paper on continuous compliance with Docker
OSCAL integration coming in 2019 ...
End-to-end security with Docker Enterprise
End-to-end security with Docker Enterprise
Safer Apps
Virtualization Public CloudPhysical
Trusted Delivery
Encryption at Rest
TLS Encryption
App Secrets
Image Scanning
Image Signing & Verification
ID & Access
Compute Runtime
Infrastructure Independent Security
Admin UI
Security: Safer Applications Across the Secure Software Supply Chain
Secure Image Management
● Image scanning
● Content trust with image signing
Secure & Highly Available Clusters
● Encrypted cluster communications
● Authenticated nodes
● Automatically join into a fault tolerant cluster
Secure Automation
● Policy-based image promotion
Only Docker Delivers All Three Core Enterprise Requirements
• Hybrid and multi-clouds
• Windows and Linux
• Traditional apps and microservices
• DevOps and existing ops processes
Choice SecurityAgility
• FIPS 140-2 validation
• Safer apps
• Governance
• Chain of custody
• Threat mitigation
• Unified operations
• Rapid delivery and response
• Cost efficiency
Only Docker Enterprise Gives Public Sector Customers:
Trusted Automation, With Verifiable Chain of Custody
● Image signing and scanning of applications to validate and verify content
● Content Trust: Only run applications that have the required signatures
● Automated policies for image promotions across the app development lifecycle
dev/hello-world
No ‘critical’ or ‘major’ vulnerabilities
prod/hello-world
App.go App.go
SECURITY
Secure, least privileged runtime environment• The most secure container runtime and
orchestration architecture
• Secure by default with out of the box configurations
• Cryptographic node identity
• Automatic mutual TLS 1.2 (AES GCM mode) across all nodes within the Docker cluster
• Transparent and automatic cert rotation
• External CA integration
• Optionally encrypt container-to-container traffic
Manager Node
CertificateAuthority
TLS
Manager Node
CertificateAuthority
TLS
Manager Node
CertificateAuthority
TLS
Worker
TLS
Worker
TLS
Worker
TLS
Kubernetes Network Encryption
Use Case
● Apply default encryption without intervention or awareness from users
● Protect internal application traffic on untrusted or shared infrastructure by default
Usage
● Optional feature in UCP● Deploy encryption daemonset to encrypt all
host-to-host traffic between all pods within the Kubernetes cluster
● Key management and rotation managed centrally by add-on encryption module
● IPSec encryption
Host
Pod
app
Host
Pod
app
Kubernetes Networking
Audit Logs
{“audit”; { "metadata": {...}, "level": "Metadata", "timestamp": "2018-08-07T22:10:35Z", "auditID": "7559d301-fa6b-4ad6-901c-b587fab75277", "stage": "RequestReceived", "requestURI": "/api/v1/namespaces/default/pods", "verb": "list", "user": {"username": "alice",...}, "sourceIPs": ["127.0.0.1"], ..., "requestReceivedTimestamp": "2018-08-07T22:10:35.428850Z"}}
UCP
orchestrator audit events
audit logs
user request FEATURE
• Configurable audit logs for UCP, Swarm, and Kubernetes
• Logs API calls tracking request, time, user, and response
• Persistent storage of audit log entries for historical recall
BENEFITS
• Tracking of all security-relevant user activity in the cluster
• Complete historical records of deployments for more complete troubleshooting and observability
{“audit”; { "metadata": {...}, "level": "Metadata", "timestamp": "2018-08-07T22:10:35Z", "auditID": "7559d301-94e7-4ad6-901c-b587fab31512", "stage": "RequestReceived", "requestURI": "/v1.30/configs/create", "verb": "post", "user": {"username": "alice",...}, "sourceIPs": ["127.0.0.1"], ..., "requestReceivedTimestamp": "2018-08-07T22:10:35.428850Z"}}
kube pod listing swarm config create
SAML v2.0Security
FEATURE
BENEFITS
• Allow for SSO to UCP through existing identity provider
• Support for Okta and ADFS, with more Idp added in the future
• Continue to use LDAP synch for client bundle access
• Achieve 2FA through identity provider
• Control Auth-N through Idp
Granular Access ControlCUSTOMIZE ROLES AND IMPROVE ACCESS GRANULARITY AND CONTROL
KEY FEATURES
BENEFITS
• Create custom roles with granular action permissions or leverage pre-defined default roles
• Define resource collections to more easily visualize and assign users to specific cluster resources
• Define Organizations of one or more Teams
• Easily manage complex organizations by defining permissions across user groups and resource collections
• Improve security by setting permissions that align to your organization’s requirements and practices
• Meet compliance and regulatory requirements through tight access control and separation of roles and responsibilities
• Respond faster to changing organizational demands
• Drive higher infrastructure and operational efficiencies and avoid cluster sprawl
KEY BENEFITS
• Secure Environment Zones
− Logical and physical partitioning
− Role-based permissions for delivery and operations
FEATURE / CAPABILITY
Operations Team
TEST STAGING PRODUCTION
DOCKER ENTERPRISE EDITIONMANAGEMENT PLANE
Single cluster, multiple divided zones
SANDBOX
Define Secure Environment Zones to Avoid Costly Cluster SprawlSECURITY
Node
Worker
Node
Worker
Node
Worker
Node
Worker
swarm mode cluster
dockerenterprise edition
universal control planetrusted registry
Node
Worker
Node
Worker
.NET Dev TeamUsing Swarm
Java Dev Team using K8s
Java Dev TeamUsing Swarm
Ops Team
Define Secure Application Zones in a Dynamic Environment
• Easily define resource-based permissions to different teams and expose only the allotted resources to each team
• Re-allocate resources as needed
KEY BENEFITS
• Integrate with LDAP/AD and create granular and flexible access controls
• Combine Namespace isolation with node-based isolation for increased separation
FEATURE / CAPABILITY
SECURITY
Build A Secure Application Supply Chain With Docker Enterprise
>_
********
****
Build With Integrity• Verify, sign, & scan• Secure methodologies• Secure image storage
Trusted Delivery• Access & authority controls• Verifiable chain of custody• Automated, policy-based
operations Run Safe• Secure by default• Isolation• Fix fast
Continuous Compliance with Docker Enterprise
Addressing confidentiality, integrity and availability objectives as defined by FISMA
• Confidentiality− Docker Engine - Enterprise FIPS mode− Docker secrets management− Mutual TLS cluster architecture
• Integrity− Docker Content Trust− Docker Certified Images
• Availability− Enterprise-grade container and orchestration platform
− Industry-standard tooling and feature-sets
Risk management and compliance in the container era
• Risk management frameworks like NIST 800-37 are just as applicable to systems with container platforms as they are with traditional IT constructs
• Docker Enterprise allows for a customer-optimized balance between inheritable security controls and infrastructure agnosticism
− Containerized apps can inherit more security controls across a greater number of infrastructure providers
− Streamlines risk attestation and assessment processes• Automate the paperwork
− Traditional attestation and assessment artifacts aren’t well-aligned to the dynamic nature of containers
− Automation becomes critical
Comparing the ATO boundary: Docker containers vs. VMs
Containers can inherit more security controls resulting in
faster ATOs
Applications running on VMs requiring more controls that which need to be attested and assessed
Application ATO
boundary
Application ATO
boundary