Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply...
Transcript of Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply...
![Page 1: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/1.jpg)
Securing the software supply chain with Docker EE
Patrick van der Bleek, Solutions Engineer @Docker
![Page 2: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/2.jpg)
2
DOCKER ENTERPRISE EDITION:Containers as a Service
![Page 3: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/3.jpg)
3
THE MODERN SOFTWARE SUPPLY CHAIN
source/dependencies
build systems/engineers
network applicationrepository deployed
systems
![Page 4: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/4.jpg)
4
THE SECURITY CHALLENGES
+ +Secure
PlatformSecure Content
Secure Access
Strong isolation and secure by default
Authentication, authorization and
access control
Content integrity and trust
• Does not hinder speed or creativity • Accelerate secure development
For Developers For IT ops
• Flexible and granular controls• Proactive risk management
![Page 5: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/5.jpg)
Secure Platform
![Page 6: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/6.jpg)
“Gartner asserts that applications deployed in containers are more secure than applications deployed on the bare OS.”
http://blogs.gartner.com/joerg-fritsch/can-you-operationalize-docker-containers/
![Page 7: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/7.jpg)
7
CONTAINER ISOLATIONpid namespace
mnt namespace
net namespace
uts namespace
user namespace
pivot_root
uid/gid drop
cap drop
all cgroups
selinux
apparmor
seccomp
Secure by default
1. Out of the box default settings
and profiles
2. Granular controls to
customize settings
![Page 8: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/8.jpg)
8
SECURE HOST CONFIGURATION
Ensure secure host configurationsAligned to recommendations in Center for Internet
Security’s Benchmark for Docker Engine 1.13/17.03Automates checking your host configs against the
benchmark recommendations
Easy to useAvailable to run as a container or using a Compose file
www.dockerbench.com
![Page 9: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/9.jpg)
9
SECURE CLUSTER MANAGEMENT
• Least privilege orchestration• Cryptographic node identity• Out of the box TLS• Seamless PKI• Automatic cert rotation• External CA integration
ManagerNode
CertificateAuthority
TLS
ManagerNode
CertificateAuthority
TLS
ManagerNode
CertificateAuthority
TLS
Worker
TLS
Worker
TLS
Worker
TLS
![Page 10: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/10.jpg)
Secure Content
![Page 11: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/11.jpg)
11
• What is inside my container?
• How do I know where this code came from?
• How do I keep our team safe from bad components?
• How do I stay on top of patches for compliance and governance?
• How do I NOT make this a giant pain for everyone? (including myself)
COMMON QUESTIONS ON CONTENT SECURITY
![Page 12: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/12.jpg)
12
SECURITY SCANNING OF IMAGES
Deep visibility with binary level scanningDetailed BOM of included components and vulnerability
profileChecks packages against CVE database AND the code
inside to protect against tamperingCovers wide range of languages, binaries, OS
Proactive risk management Continuous monitoring of CVE/NVD databases with
notifications pointing to repos and tags that contain new vulnerabilities
Secure the software supply chainIntegrated workflow with Docker Content TrustAvailable for Official Repos since Nov 2015
Sample Bill of Materials (BOM)
![Page 13: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/13.jpg)
13
DOCKER CONTENT TRUST
![Page 14: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/14.jpg)
14
DOCKER CONTENT TRUST: IMAGE FORGERY USECASE
![Page 15: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/15.jpg)
15
DOCKER CONTENT TRUST: REPLAY ATTACKS USECASE
![Page 16: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/16.jpg)
16
DOCKER CONTENT TRUST: COMPROMISED KEYS USECASE
![Page 17: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/17.jpg)
17
DOCKER CONTENT TRUST: CHAIN OF TRUST
![Page 18: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/18.jpg)
18
DOCKER CONTENT TRUST: ENFORCEMENT
• In UCP, can prevent running a container unless image signed by member of a designated team– Can require multiple teams’ signatures, or can allow any UCP user to sign
• Requires UCP user certificates for authentication– DTR sets up a Notary server– Initialize Notary repos with a UCP user’s client bundle public keys
![Page 19: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/19.jpg)
Secure Access
![Page 20: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/20.jpg)
20
ROLE BASED ACCESS CONTROLSet up options• LDAP/AD support• Built-in
Granular RBAC• Users and Teams• Roles• Permission labels
User Experience• Single sign on
![Page 21: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/21.jpg)
21
ROLE BASED ACCESS CONTROL• Granular label-based RBAC for services and networks
– Works similarly to RBAC for containers (add ”com.docker.ucp.access.label”)– Control permission
• Protect system resources (UCP/DTR) from non-admins– UCP/DTR Containers, Networks, and Volumes are hidden from non-admins
![Page 22: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/22.jpg)
22
SECRETS MANAGEMENT
WorkerWorker
Manager
Internal Distributed Store
Raft Consensus Group
ManagerManager
Worker
Web UI
• Encrypted at rest in the cluster store
• Encrypted while in motion on the network
• Delivered only to the exact authorized app
• Available to containers only in memory, never
saved to disk
![Page 23: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/23.jpg)
23
THE SECURITY CHALLENGES
+ +Secure
PlatformSecure Content
Secure Access
Role based access control (RBAC)
AD/LDAP integration
Secrets Management
Docker Content Trust
Security Scanning
All available isolation and containment
Default security settings and profiles
Docker Bench
Swarm Node Identity
![Page 24: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/24.jpg)
24
WHERE TO GO NEXT
• Learn More about Docker Enterprise Edition• https://www.docker.com/enterprise-edition
• Customer use cases • https://www.docker.com/customers
• Try Docker Datacenter free for 30 days • https://www.docker.com/eval
• Reference Architecture: Securing Docker EE and Security Best Practices• https://success.docker.com/Architecture
![Page 25: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/25.jpg)
THANK YOU
![Page 26: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/26.jpg)
26
LOREM IPSUM
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure
dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non
proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
![Page 27: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/27.jpg)
27
LOREM IPSUM
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do
eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut
enim ad minim veniam, quis nostrud exercitation ullamco laboris
nisi ut aliquip ex ea commodo consequat.
Duis aute irure dolor in reprehenderit in voluptate velit esse
cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat
cupidatat non proident, sunt in culpa qui officia deserunt mollit
anim id est laborum.
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do
eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut
enim ad minim veniam, quis nostrud exercitation ullamco laboris
nisi ut aliquip ex ea commodo consequat.
Duis aute irure dolor in reprehenderit in voluptate velit esse
cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat
cupidatat non proident, sunt in culpa qui officia deserunt mollit
anim id est laborum.
![Page 28: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/28.jpg)
28
1 2 3 4
CHART EXAMPLE
One Two Three Four0%
20%
40%
60%
80%
100%
One
Two
Three
Four
CHART EXAMPLE
![Page 29: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/29.jpg)
29
CHART EXAMPLE
0
1
2
3
4
5
6
One Two Three Four
Series 1 Series 2 Series 3
![Page 30: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/30.jpg)
Lorem IpsumLorem ipsum dolor sit amet
![Page 31: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/31.jpg)
Sed ut perspiciatis unde omnis
Sed ut perspiciatis unde omnis iste natus error sit
voluptatem accusantium doloremque laudantium,
totam rem aperiam, eaque ipsa quae ab illo inventore
veritatis et quasi architecto beatae vitae dicta sunt
explicabo.
![Page 32: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/32.jpg)
Sed ut perspiciatis undeomnis
Sed ut perspiciatis unde omnis iste natus error
sit voluptatem accusantium doloremque
laudantium, totam rem aperiam, eaque ipsa
quae ab illo inventore veritatis et quasi
architecto beatae vitae dicta sunt explicabo.
![Page 33: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/33.jpg)
Lorem ipsum dolor sit ametLorem ipsum dolor
![Page 34: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/34.jpg)
Sed ut perspiciatis undeomnis
Sed ut perspiciatis unde omnis iste natus error
sit voluptatem accusantium doloremque
laudantium, totam rem aperiam, eaque ipsa
quae ab illo inventore veritatis et quasi
architecto beatae vitae dicta sunt explicabo.
![Page 35: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/35.jpg)
![Page 36: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/36.jpg)
Lorem ipsum dolor sit ametLorem ipsum dolor
![Page 37: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/37.jpg)
Sed ut perspiciatis undeomnis
Sed ut perspiciatis unde omnis iste natus error
sit voluptatem accusantium doloremque
laudantium, totam rem aperiam, eaque ipsa
quae ab illo inventore veritatis et quasi
architecto beatae vitae dicta sunt explicabo.
![Page 38: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/38.jpg)
![Page 39: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/39.jpg)
Lorem ipsum dolor sit ametLorem ipsum dolor
![Page 40: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/40.jpg)
Sed ut perspiciatis undeomnis
Sed ut perspiciatis unde omnis iste natus error
sit voluptatem accusantium doloremque
laudantium, totam rem aperiam, eaque ipsa
quae ab illo inventore veritatis et quasi
architecto beatae vitae dicta sunt explicabo.
![Page 41: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/41.jpg)
![Page 42: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/42.jpg)
LOREM IPSUM DOLOR SIT AMETExcepteur sint occaecat cupidatat non proident
![Page 43: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/43.jpg)
Sed ut perspiciatis undeomnis
Sed ut perspiciatis unde omnis iste natus error
sit voluptatem accusantium doloremque
laudantium, totam rem aperiam, eaque ipsa
quae ab illo inventore veritatis et quasi
architecto beatae vitae dicta sunt explicabo.
![Page 44: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/44.jpg)
Sed ut perspiciatis unde omnis iste natus error
sit voluptatem accusantium doloremque
laudantium, totam rem aperiam, eaque ipsa
quae ab illo inventore veritatis et quasi
architecto beatae vitae dicta sunt explicabo.
Sed ut perspiciatis undeomnis
![Page 45: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/45.jpg)
45
LOREM IPSUM
Sed ut perspiciatis unde omnis iste natus
error sit voluptatem accusantium
Eaque ipsa quae ab illo inventore veritatis
et quasi architecto beatae vitae dicta sunt
explicabo. Nemo enim ipsam voluptatem
quia voluptas sit aspernatur aut odit aut
fugit, sed quia consequuntur magni dolores
eos qui ratione voluptatem sequi nesciunt.
Sed ut perspiciatis unde omnis iste natus
error sit voluptatem accusantium
Eaque ipsa quae ab illo inventore veritatis
et quasi architecto beatae vitae dicta sunt
explicabo. Nemo enim ipsam voluptatem
quia voluptas sit aspernatur aut odit aut
fugit, sed quia consequuntur magni dolores
eos qui ratione voluptatem sequi nesciunt.
Sed ut perspiciatis unde omnis iste natus
error sit voluptatem accusantium
Eaque ipsa quae ab illo inventore veritatis
et quasi architecto beatae vitae dicta sunt
explicabo. Nemo enim ipsam voluptatem
quia voluptas sit aspernatur aut odit aut
fugit, sed quia consequuntur magni dolores
eos qui ratione voluptatem sequi nesciunt.
![Page 46: Securing the software supply chain with Docker EE · 2019-01-02 · Securing the software supply chain with Docker EE Patrick van der Bleek, Solutions Engineer @Docker](https://reader033.fdocuments.net/reader033/viewer/2022060212/5f0510f57e708231d4111742/html5/thumbnails/46.jpg)
LOREM IPSUM