Securing containers on any infrastructure with StackRox & Docker Enterprise Edition

Four and a half years since it was first introduced, Docker continues to have a profound impact on reshaping how developers build, ship, and run software applications. Few could have anticipated the speed of Docker adoption that we have observed to date with more than 21 million hosts now running Docker, over 24 billion Docker container downloads, and a vibrant ecosystem of 100,000+ third-party projects that incorporate Docker. As the de facto standard for the container runtime and image format, Docker has democratized the ability for anyone to take advantage of container technologies that could previously only be utilized by a handful of the world’s largest, cloud-native companies.

This has created an opportunity for enterprises such as Goldman Sachs, Bank of America, Royal Caribbean, and countless others to utilize containers to develop and manage their applications more efficiently at a time when they are also shifting computing infrastructure to the public cloud. Containers are now the atomic unit of modern software development for mainstream Global 2000 enterprises transitioning to hybrid, multi-cloud, and container-centric application architectures. Gartner predicts that within the next three years, more than 50% of enterprises will be running containerized applications in production.

Today Docker Enterprise Edition (EE) is the leading container platform for enterprises looking to maximize flexibility, ensure portability, and avoid technology lock-in, attracting organizations such as ADP, General Electric, MetLife, PayPal, Societe Generale, and others. With its recently added support for Kubernetes, customers can use Docker EE to benefit from multiple orchestration systems, modernize traditional applications (MTA) or build new microservices-based ones, deploy on Linux or Windows, and run containers on everything from mainframe systems on-premises to virtual machine instances in the public cloud. No other container platform gives customers this degree of choice while maintaining a simple, consistent experience for development teams.

Docker EE security for the software supply chain

The flexibility afforded by Docker EE extends to the security capabilities built into its platform, which enable customers to secure their container software supply chain. Container images must be secured as they are built and assembled from application code, dependencies, and packages (many of which are open source). Security best practices entail scanning images for known vulnerabilities; signing images to ensure proof-of-origin, authenticity, and provenance; and restricting who can push and pull images from the container registry. Additionally the container engines, orchestration system, and hosts within the environment must also be appropriately configured. This involves setting access controls on the cluster, ensuring network traffic is encrypted between nodes, passing security profiles to individual containers, and managing sensitive content such as secrets.

Docker EE incorporates Docker’s security philosophy of “Secure by Default." Docker EE makes it easy for enterprises to secure container images and harden the container environment prior to runtime with the following controls built in:

Image scanning (Docker Security Scanning): Docker Trusted Registry is a customer-administered registry that is incorporated into Docker EE and integrates image scanning to detect known vulnerabilities (based on the CVE Database) within container images.

Image signing (Docker Content Trust): This feature integrates a project called Notary to provide cryptographic signatures for container images. Verification of signatures to establish trust over images can be required before they are used to launch new containers.

Access control: Access to the Docker cluster, including container hosts, container images, and running containers, can be restricted using role-based access controls (RBAC).

Security profiles for container hardening: Docker provides reference seccomp and AppArmor security profiles that can be applied to restrict system access by individual containers. Docker also enables users to lock down root in a container.

Secrets management: Secrets (sensitive data such as passwords, keys, or certificates) can be centrally managed within the Docker platform. This prevents against exposure of sensitive data that might otherwise be passed in environment variables or stored in container images.

StackRox for runtime security

StackRox complements the security built into Docker EE with an equally deep suite of capabilities that focuses beyond the software supply chain. StackRox secures running containers with controls that give security teams the ability to visualize the container attack surface, expose malicious activity with machine learning and policies, and stop the attacker kill chain. Together, StackRox and Docker EE jointly provide customers with end-to-end security across the container lifecycle from build to runtime.

When a Global 2000 bank using Docker EE began containerizing legacy WebLogic and Tomcat applications earlier this year, its security team selected StackRox for runtime security to augment Docker EE’s image scanning and signing functions. More specifically, the team required the ability to protect against container intrusions that its existing security infrastructure was unable to address. Representative threat vectors that StackRox automatically detects include malicious lateral movement, sensitive filesystem access, and unauthorized Docker activity. StackRox is now enabling this bank, and others enterprises like it, to aggressively scale their containerization efforts, accelerate the timeframe for deploying sensitive applications into production, reduce the exposure of these containers (many of which are web-facing) to threats, and reduce operational resources required to address security incidents throughout their Docker EE environment.

StackRox’s integration with Docker EE

Similar to Docker EE, StackRox is designed to maximize flexibility for enterprises running containers across multiple environments, from on-premises to the public cloud, with a requirement for best-in-class security. StackRox is built to be agnostic to underlying compute infrastructure and uses a container-native and microservices-based architecture, which allows it to secure your applications running within Docker EE simply by running a set of StackRox containers alongside them.

The StackRox containers use a set of images that are stored and separately tagged within your DTR. This allows you to deploy and manage StackRox services using the same, familiar toolchain already built into Docker EE whether it is using the Docker CLI or Universal Control Plane (UCP) interface. Operational workflows remain consistent across Docker EE, your applications, and StackRox’s security. StackRox services are both Docker Swarm- and Kubernetes-aware, allowing their deployment and scaling to be fully automated regardless of the orchestrator you have selected within Docker EE.

Once StackRox’s containers are running within your Docker EE environment, you will see them as a stack displayed in your UCP console.

StackRox auto-discovers all containers, including containerized UCP services within your Docker EE clusters. These services are populated within the Docker_UCP application in the StackRox Portal.

Docker EE is a flexible platform built to run containers on any infrastructure. StackRox enables enterprises to secure those containers when it matters most. Are you looking for end-to-end security throughout your Docker EE environment? Contact us if you are interested in learning more about StackRox.