SlideShare a Scribd company logo

Docker Security and Content Trust

E
ehazlett

Docker provides security features to secure content, access, and platforms. It delivers integrated security through content trust, authorization and authentication, and runtime containment using cGroups, namespaces, capabilities, seccomp profiles, and Linux security modules.

1 of 23
Downloaded 43 times
Docker Security and Content Trust
Containers as a Service (CaaS) Developers IT Operations BUILD Development Environments SHIP Secure Content & Collaboration RUN Deploy, Manage, Scale
Docker Platform
Docker delivers end-to-end integrated security Developers IT Operations BUILD Development Environments SHIP Secure Content & Collaboration RUN Deploy, Manage, Scale 4 Secure Content Content Trust and Project Nautilus Secure Access Authorization, Authentication, Access Control (AAA) Secure Platform Runtime containment and isolation
cGroups Namespaces User Namespaces Linux Security Modules Seccomp Runtime Containment
• Kernel function Docker users to control resource access • Helps to ensure appropriate multi-tenancy behavior • Sets limits and constraints on hardware resources – For example CPU or memory limits with --memory or --cpu Containment: Control Groups
• Enables granular specification of user capabilities • Root users have access to all capabilities – Non-root users more restricted, but can elevate • Capabilities in a Docker container are < half of a Linux process • Reduces possibility of system level impact on intrusion due to limited capabilities • Modify capabilities with --cap-drop / --cap-add Containment: Capabilities
• Namespaces provide the isolated workspace for “the container” • Containers are actually made up of several different namespaces that manage different items, some examples: – pid: process isolation – net: network interfaces – ipc: access to IPC resources – mnt: mount-points – uts: kernel and version identifiers • By default containers run with full root privileges • User Namespaces allow full-featured containers without root privilege Containment: Namespaces
• Enhanced access controls • Assign privileges for each container by user group • Separate container and Docker daemon level privileges • Containers no longer have root access to host Docker Host Container 1 Container 2 Container 3 Containment: User Namespaces
• Granular policy control defining what syscalls containers can make • Increase security by reducing attack surface of the Linux kernel • Secure by default with “default profile” applied to all containers • Syscalls like acct, add_key, clone, kexec_load, mount, reboot and others are blocked by default profile Docker Host Container 1 Container 2 Container 3 Security: Seccomp Profiles
• Linux Security Modules (LSM) provides a general kernel framework to support security modules – In particular Mandatory Access Control (Mac) modules • Popular modules include: – AppArmor – SELinux – Smack – TOMOYO • By default Docker supports AppArmor (Ubuntu) and SELinux (Red Hat / Centos) Containment: Linux Security Modules (LSM)
● Publisher digitally signs the Docker images before sending them to the cloud ● Any user can independently verify the digital signatures on the images Content: Docker Content Trust
• YubiKey 4 hardware ensures root key is never exposed • Publisher’s root key can’t be stolen AND Content Trust protects content itself from attacks • Touch to sign ensures human interaction • Available in Docker Experimental and Notary 0.1 Content: Integrated Hardware Signing
Content: Trust on Docker Hub Docker Hub supports storage and distribution of images signed with Docker Content Trust • Docker hosts and manages the Notary server • All 93 official repos signed by Docker Content Trust • Opt in to Docker Content Trust on your commercially supported Docker Engines • Signed images can be pushed and pulled from Docker Hub repos (signed status is not exposed in the UI at this time)
Use Case: Image Forgery
Use Case: Replay Attacks
Use Case: Compromised Keys
GA of Docker Security Scanning (formerly Project Nautilus) enabling detailed image security profiles, continuous vulnerability monitoring and notifications for integrated content security in the software supply chain ● Limited time free trial for Docker Cloud private repo customers ● Coming soon as an integrated feature in Docker Datacenter ● Expanding soon to all Docker Cloud repo users Updated Docker Bench for checking host and daemon configs ● Implement recommendations from latest CIS Docker 1.11.0 Benchmark Security Scanning
Deep visibility with binary level scanning • Detailed BOM of included components and vulnerability profile • Checks packages against CVE database AND the code inside to protect against tampering • Covers wide range of languages, binaries, OS Proactive risk management • Continuous monitoring of CVE/NVD databases with notifications pointing to repos and tags that contain new vulnerabilities Sample Bill of Materials (BOM) Secure Content: Image Scanning
Docker enables least privilege microservices Developers IT Operations BUILD Development Environments SHIP Secure Content & Collaboration RUN Deploy, Manage, Scale Secure Content Content Trust and Project Nautilus Secure Access Authorization, Authentication, Access Control (AAA) Secure Platform Runtime containment and isolation
CIS (Center of Internet Security) Docker Benchmark • Prescriptive guidance on securing Docker environments • Community collaboration: CIS, Docker, VMware, and others. • Addresses Linux host configuration as well as Docker-specific configuration • https://benchmarks.cisecurity.org/downloads/benchmarks/index.cfm Docker Bench • Automated tool to assess security compliance of your Docker configurations • www.dockerbench.com Best Practices and Tools
• Open source project on Github (github.com/docker/notary) • Based on TUF (The Update Framework) • Sign content with offline keys • Trust thresholds (require K out of N keys) (Stealing a key reduces signing requirements, but doesn't break the whole model) • Guarantee freshness • Distribute signed content on (potentially insecure) servers (leverage existing (insecure) transport and mirrors) • Basis for Docker Content Trust Content Trust: Notary
Demo
Ad

Recommended

Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)
Evernym
 
Kubernetes #4 volume &amp; stateful set
Kubernetes #4 volume &amp; stateful setKubernetes #4 volume &amp; stateful set
Kubernetes #4 volume &amp; stateful set
Terry Cho
 
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaCordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Vasiliy Suvorov
 
Hyperledger Indy tutorial
Hyperledger Indy tutorialHyperledger Indy tutorial
Hyperledger Indy tutorial
ssuser3993f3
 
Overview of Decentralized Identity
Overview of Decentralized IdentityOverview of Decentralized Identity
Overview of Decentralized Identity
Jim Flynn
 
Blockchain - HyperLedger Fabric
Blockchain - HyperLedger FabricBlockchain - HyperLedger Fabric
Blockchain - HyperLedger Fabric
Araf Karsh Hamid
 
Digital Identity Wallets: What They Mean For Banks
Digital Identity Wallets: What They Mean For BanksDigital Identity Wallets: What They Mean For Banks
Digital Identity Wallets: What They Mean For Banks
Evernym
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
FIDO Alliance
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.ppt
Surajgroupsvideo
 
Verifiable credentials explained by CCI
Verifiable credentials explained by CCIVerifiable credentials explained by CCI
Verifiable credentials explained by CCI
Kaliya "Identity Woman" Young
 
Docker Overview - Rise of the Containers
Docker Overview - Rise of the ContainersDocker Overview - Rise of the Containers
Docker Overview - Rise of the Containers
Ryan Hodgin
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
John Willis
 
FIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptx
FIDO Alliance
 
Introduction to Docker Containers - Docker Captain
Introduction to Docker Containers - Docker CaptainIntroduction to Docker Containers - Docker Captain
Introduction to Docker Containers - Docker Captain
Ajeet Singh Raina
 
What is self-sovereign identity (SSI)?
What is self-sovereign identity (SSI)?What is self-sovereign identity (SSI)?
What is self-sovereign identity (SSI)?
Evernym
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
 
ISWC2023-McGuinnessTWC16x9FinalShort.pdf
ISWC2023-McGuinnessTWC16x9FinalShort.pdfISWC2023-McGuinnessTWC16x9FinalShort.pdf
ISWC2023-McGuinnessTWC16x9FinalShort.pdf
Deborah McGuinness
 
L11 - Intro to Computer Forensics.ppt
L11 - Intro to Computer Forensics.pptL11 - Intro to Computer Forensics.ppt
L11 - Intro to Computer Forensics.ppt
RebeccaMunasheChimhe
 
What is NFT (Non-fungible token) & How do they work?
What is NFT (Non-fungible token) & How do they work?What is NFT (Non-fungible token) & How do they work?
What is NFT (Non-fungible token) & How do they work?
Finlaw Consultancy Pvt Ltd
 
The Shift from Federated to Decentralized Identity
The Shift from Federated to Decentralized IdentityThe Shift from Federated to Decentralized Identity
The Shift from Federated to Decentralized Identity
Evernym
 
Setting up Notifications, Alerts & Webhooks with Flux v2 by Alison Dowdney
Setting up Notifications, Alerts & Webhooks with Flux v2 by Alison DowdneySetting up Notifications, Alerts & Webhooks with Flux v2 by Alison Dowdney
Setting up Notifications, Alerts & Webhooks with Flux v2 by Alison Dowdney
Weaveworks
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
Antonin Stoklasek
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in ProductionKong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
FIWARE
 
Pentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - AbdullahPentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - Abdullah
idsecconf
 
Kubernetes
KubernetesKubernetes
Kubernetes
Henry He
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker Security
Stephane Woillez
 
Container security Familiar problems in new technology
Container security Familiar problems in new technologyContainer security Familiar problems in new technology
Container security Familiar problems in new technology
Frank Victory
 
Ad

More Related Content

What's hot (20)

Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.ppt
Surajgroupsvideo
 
Verifiable credentials explained by CCI
Verifiable credentials explained by CCIVerifiable credentials explained by CCI
Verifiable credentials explained by CCI
Kaliya "Identity Woman" Young
 
Docker Overview - Rise of the Containers
Docker Overview - Rise of the ContainersDocker Overview - Rise of the Containers
Docker Overview - Rise of the Containers
Ryan Hodgin
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
John Willis
 
FIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptx
FIDO Alliance
 
Introduction to Docker Containers - Docker Captain
Introduction to Docker Containers - Docker CaptainIntroduction to Docker Containers - Docker Captain
Introduction to Docker Containers - Docker Captain
Ajeet Singh Raina
 
What is self-sovereign identity (SSI)?
What is self-sovereign identity (SSI)?What is self-sovereign identity (SSI)?
What is self-sovereign identity (SSI)?
Evernym
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
 
ISWC2023-McGuinnessTWC16x9FinalShort.pdf
ISWC2023-McGuinnessTWC16x9FinalShort.pdfISWC2023-McGuinnessTWC16x9FinalShort.pdf
ISWC2023-McGuinnessTWC16x9FinalShort.pdf
Deborah McGuinness
 
L11 - Intro to Computer Forensics.ppt
L11 - Intro to Computer Forensics.pptL11 - Intro to Computer Forensics.ppt
L11 - Intro to Computer Forensics.ppt
RebeccaMunasheChimhe
 
What is NFT (Non-fungible token) & How do they work?
What is NFT (Non-fungible token) & How do they work?What is NFT (Non-fungible token) & How do they work?
What is NFT (Non-fungible token) & How do they work?
Finlaw Consultancy Pvt Ltd
 
The Shift from Federated to Decentralized Identity
The Shift from Federated to Decentralized IdentityThe Shift from Federated to Decentralized Identity
The Shift from Federated to Decentralized Identity
Evernym
 
Setting up Notifications, Alerts & Webhooks with Flux v2 by Alison Dowdney
Setting up Notifications, Alerts & Webhooks with Flux v2 by Alison DowdneySetting up Notifications, Alerts & Webhooks with Flux v2 by Alison Dowdney
Setting up Notifications, Alerts & Webhooks with Flux v2 by Alison Dowdney
Weaveworks
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
Antonin Stoklasek
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in ProductionKong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
FIWARE
 
Pentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - AbdullahPentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - Abdullah
idsecconf
 
Kubernetes
KubernetesKubernetes
Kubernetes
Henry He
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.ppt
Surajgroupsvideo
 
Verifiable credentials explained by CCI
Verifiable credentials explained by CCIVerifiable credentials explained by CCI
Verifiable credentials explained by CCI
Kaliya "Identity Woman" Young
 
Docker Overview - Rise of the Containers
Docker Overview - Rise of the ContainersDocker Overview - Rise of the Containers
Docker Overview - Rise of the Containers
Ryan Hodgin
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
John Willis
 
FIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptx
FIDO Alliance
 
Introduction to Docker Containers - Docker Captain
Introduction to Docker Containers - Docker CaptainIntroduction to Docker Containers - Docker Captain
Introduction to Docker Containers - Docker Captain
Ajeet Singh Raina
 
What is self-sovereign identity (SSI)?
What is self-sovereign identity (SSI)?What is self-sovereign identity (SSI)?
What is self-sovereign identity (SSI)?
Evernym
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
 
ISWC2023-McGuinnessTWC16x9FinalShort.pdf
ISWC2023-McGuinnessTWC16x9FinalShort.pdfISWC2023-McGuinnessTWC16x9FinalShort.pdf
ISWC2023-McGuinnessTWC16x9FinalShort.pdf
Deborah McGuinness
 
L11 - Intro to Computer Forensics.ppt
L11 - Intro to Computer Forensics.pptL11 - Intro to Computer Forensics.ppt
L11 - Intro to Computer Forensics.ppt
RebeccaMunasheChimhe
 
What is NFT (Non-fungible token) & How do they work?
What is NFT (Non-fungible token) & How do they work?What is NFT (Non-fungible token) & How do they work?
What is NFT (Non-fungible token) & How do they work?
Finlaw Consultancy Pvt Ltd
 
The Shift from Federated to Decentralized Identity
The Shift from Federated to Decentralized IdentityThe Shift from Federated to Decentralized Identity
The Shift from Federated to Decentralized Identity
Evernym
 
Setting up Notifications, Alerts & Webhooks with Flux v2 by Alison Dowdney
Setting up Notifications, Alerts & Webhooks with Flux v2 by Alison DowdneySetting up Notifications, Alerts & Webhooks with Flux v2 by Alison Dowdney
Setting up Notifications, Alerts & Webhooks with Flux v2 by Alison Dowdney
Weaveworks
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
Antonin Stoklasek
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in ProductionKong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
FIWARE
 
Pentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - AbdullahPentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - Abdullah
idsecconf
 
Kubernetes
KubernetesKubernetes
Kubernetes
Henry He
 

Similar to Docker Security and Content Trust (20)

SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker Security
Stephane Woillez
 
Container security Familiar problems in new technology
Container security Familiar problems in new technologyContainer security Familiar problems in new technology
Container security Familiar problems in new technology
Frank Victory
 
Container Security
Container SecurityContainer Security
Container Security
Salman Baset
 
Devoxx 2016 - Docker Nuts and Bolts
Devoxx 2016 - Docker Nuts and BoltsDevoxx 2016 - Docker Nuts and Bolts
Devoxx 2016 - Docker Nuts and Bolts
Patrick Chanezon
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys
 
DockerCon EU 2015 Barcelona
DockerCon EU 2015 BarcelonaDockerCon EU 2015 Barcelona
DockerCon EU 2015 Barcelona
Roman Dembitsky
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
Stephane Woillez
 
Dockercon EU 2015 Recap
Dockercon EU 2015 RecapDockercon EU 2015 Recap
Dockercon EU 2015 Recap
Lee Calcote
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
The ABC of Docker: The Absolute Best Compendium of Docker
The ABC of Docker: The Absolute Best Compendium of DockerThe ABC of Docker: The Absolute Best Compendium of Docker
The ABC of Docker: The Absolute Best Compendium of Docker
Aniekan Akpaffiong
 
Testing Docker Images Security
Testing Docker Images SecurityTesting Docker Images Security
Testing Docker Images Security
Jose Manuel Ortega Candel
 
Docker
DockerDocker
Docker
Charlie Cai
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiated
Kevin Lee
 
Understanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities pointsUnderstanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities points
Abdul Khan
 
Introduction to Docker | Docker and Kubernetes Training
Introduction to Docker | Docker and Kubernetes TrainingIntroduction to Docker | Docker and Kubernetes Training
Introduction to Docker | Docker and Kubernetes Training
Shailendra Chauhan
 
Introduction Docker and Kubernetes | Docker & Kubernetes Tutorial | Dot Net T...
Introduction Docker and Kubernetes | Docker & Kubernetes Tutorial | Dot Net T...Introduction Docker and Kubernetes | Docker & Kubernetes Tutorial | Dot Net T...
Introduction Docker and Kubernetes | Docker & Kubernetes Tutorial | Dot Net T...
Dot Net Tricks
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your container
Ronak Kogta
 
Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017
Jose Manuel Ortega Candel
 
Docker
DockerDocker
Docker
Codeister Technolgoies
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker Security
Stephane Woillez
 
Container security Familiar problems in new technology
Container security Familiar problems in new technologyContainer security Familiar problems in new technology
Container security Familiar problems in new technology
Frank Victory
 
Container Security
Container SecurityContainer Security
Container Security
Salman Baset
 
Devoxx 2016 - Docker Nuts and Bolts
Devoxx 2016 - Docker Nuts and BoltsDevoxx 2016 - Docker Nuts and Bolts
Devoxx 2016 - Docker Nuts and Bolts
Patrick Chanezon
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys
 
DockerCon EU 2015 Barcelona
DockerCon EU 2015 BarcelonaDockerCon EU 2015 Barcelona
DockerCon EU 2015 Barcelona
Roman Dembitsky
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
Stephane Woillez
 
Dockercon EU 2015 Recap
Dockercon EU 2015 RecapDockercon EU 2015 Recap
Dockercon EU 2015 Recap
Lee Calcote
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
The ABC of Docker: The Absolute Best Compendium of Docker
The ABC of Docker: The Absolute Best Compendium of DockerThe ABC of Docker: The Absolute Best Compendium of Docker
The ABC of Docker: The Absolute Best Compendium of Docker
Aniekan Akpaffiong
 
Testing Docker Images Security
Testing Docker Images SecurityTesting Docker Images Security
Testing Docker Images Security
Jose Manuel Ortega Candel
 
Docker
DockerDocker
Docker
Charlie Cai
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiated
Kevin Lee
 
Understanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities pointsUnderstanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities points
Abdul Khan
 
Introduction to Docker | Docker and Kubernetes Training
Introduction to Docker | Docker and Kubernetes TrainingIntroduction to Docker | Docker and Kubernetes Training
Introduction to Docker | Docker and Kubernetes Training
Shailendra Chauhan
 
Introduction Docker and Kubernetes | Docker & Kubernetes Tutorial | Dot Net T...
Introduction Docker and Kubernetes | Docker & Kubernetes Tutorial | Dot Net T...Introduction Docker and Kubernetes | Docker & Kubernetes Tutorial | Dot Net T...
Introduction Docker and Kubernetes | Docker & Kubernetes Tutorial | Dot Net T...
Dot Net Tricks
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your container
Ronak Kogta
 
Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017
Jose Manuel Ortega Candel
 
Docker
DockerDocker
Docker
Codeister Technolgoies
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
Ad

Recently uploaded (20)

Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Ad

Docker Security and Content Trust

  • 1. Docker Security and Content Trust
  • 2. Containers as a Service (CaaS) Developers IT Operations BUILD Development Environments SHIP Secure Content & Collaboration RUN Deploy, Manage, Scale
  • 4. Docker delivers end-to-end integrated security Developers IT Operations BUILD Development Environments SHIP Secure Content & Collaboration RUN Deploy, Manage, Scale 4 Secure Content Content Trust and Project Nautilus Secure Access Authorization, Authentication, Access Control (AAA) Secure Platform Runtime containment and isolation
  • 5. cGroups Namespaces User Namespaces Linux Security Modules Seccomp Runtime Containment
  • 6. • Kernel function Docker users to control resource access • Helps to ensure appropriate multi-tenancy behavior • Sets limits and constraints on hardware resources – For example CPU or memory limits with --memory or --cpu Containment: Control Groups
  • 7. • Enables granular specification of user capabilities • Root users have access to all capabilities – Non-root users more restricted, but can elevate • Capabilities in a Docker container are < half of a Linux process • Reduces possibility of system level impact on intrusion due to limited capabilities • Modify capabilities with --cap-drop / --cap-add Containment: Capabilities
  • 8. • Namespaces provide the isolated workspace for “the container” • Containers are actually made up of several different namespaces that manage different items, some examples: – pid: process isolation – net: network interfaces – ipc: access to IPC resources – mnt: mount-points – uts: kernel and version identifiers • By default containers run with full root privileges • User Namespaces allow full-featured containers without root privilege Containment: Namespaces
  • 9. • Enhanced access controls • Assign privileges for each container by user group • Separate container and Docker daemon level privileges • Containers no longer have root access to host Docker Host Container 1 Container 2 Container 3 Containment: User Namespaces
  • 10. • Granular policy control defining what syscalls containers can make • Increase security by reducing attack surface of the Linux kernel • Secure by default with “default profile” applied to all containers • Syscalls like acct, add_key, clone, kexec_load, mount, reboot and others are blocked by default profile Docker Host Container 1 Container 2 Container 3 Security: Seccomp Profiles
  • 11. • Linux Security Modules (LSM) provides a general kernel framework to support security modules – In particular Mandatory Access Control (Mac) modules • Popular modules include: – AppArmor – SELinux – Smack – TOMOYO • By default Docker supports AppArmor (Ubuntu) and SELinux (Red Hat / Centos) Containment: Linux Security Modules (LSM)
  • 12. ● Publisher digitally signs the Docker images before sending them to the cloud ● Any user can independently verify the digital signatures on the images Content: Docker Content Trust
  • 13. • YubiKey 4 hardware ensures root key is never exposed • Publisher’s root key can’t be stolen AND Content Trust protects content itself from attacks • Touch to sign ensures human interaction • Available in Docker Experimental and Notary 0.1 Content: Integrated Hardware Signing
  • 14. Content: Trust on Docker Hub Docker Hub supports storage and distribution of images signed with Docker Content Trust • Docker hosts and manages the Notary server • All 93 official repos signed by Docker Content Trust • Opt in to Docker Content Trust on your commercially supported Docker Engines • Signed images can be pushed and pulled from Docker Hub repos (signed status is not exposed in the UI at this time)
  • 15. Use Case: Image Forgery
  • 16. Use Case: Replay Attacks
  • 18. GA of Docker Security Scanning (formerly Project Nautilus) enabling detailed image security profiles, continuous vulnerability monitoring and notifications for integrated content security in the software supply chain ● Limited time free trial for Docker Cloud private repo customers ● Coming soon as an integrated feature in Docker Datacenter ● Expanding soon to all Docker Cloud repo users Updated Docker Bench for checking host and daemon configs ● Implement recommendations from latest CIS Docker 1.11.0 Benchmark Security Scanning
  • 19. Deep visibility with binary level scanning • Detailed BOM of included components and vulnerability profile • Checks packages against CVE database AND the code inside to protect against tampering • Covers wide range of languages, binaries, OS Proactive risk management • Continuous monitoring of CVE/NVD databases with notifications pointing to repos and tags that contain new vulnerabilities Sample Bill of Materials (BOM) Secure Content: Image Scanning
  • 20. Docker enables least privilege microservices Developers IT Operations BUILD Development Environments SHIP Secure Content & Collaboration RUN Deploy, Manage, Scale Secure Content Content Trust and Project Nautilus Secure Access Authorization, Authentication, Access Control (AAA) Secure Platform Runtime containment and isolation
  • 21. CIS (Center of Internet Security) Docker Benchmark • Prescriptive guidance on securing Docker environments • Community collaboration: CIS, Docker, VMware, and others. • Addresses Linux host configuration as well as Docker-specific configuration • https://benchmarks.cisecurity.org/downloads/benchmarks/index.cfm Docker Bench • Automated tool to assess security compliance of your Docker configurations • www.dockerbench.com Best Practices and Tools
  • 22. • Open source project on Github (github.com/docker/notary) • Based on TUF (The Update Framework) • Sign content with offline keys • Trust thresholds (require K out of N keys) (Stealing a key reduces signing requirements, but doesn't break the whole model) • Guarantee freshness • Distribute signed content on (potentially insecure) servers (leverage existing (insecure) transport and mirrors) • Basis for Docker Content Trust Content Trust: Notary
  • 23. Demo