Docker Enterprise: The First DISA STIG’ed Container Platform!
Docker Enterprise was built to be secure by default. When
you build a secure by default platform, you need to consider security
validation and governmental use. Docker Enterprise has become the first
container platform to complete the Security Technical Implementation Guides
(STIG) certification process. Thanks to Defense Information Systems Agency
(DISA) for its support and sponsorship. Being the first container platform to
complete the STIG process through DISA means a great deal to the entire Docker
team.
The STIG took months of work around writing and validating
the controls. What does it really mean? Having a STIG allows government
agencies to ensure they are running Docker Enterprise in the most secure
manner. The STIG also provides validation for the private sector. One of the
great concepts with any compliance framework, like STIGs, is the idea of
inherited controls. Adopting a STIG
recommendation helps improve an organization’s security posture. Here is a
great blurb from DISA’ site:
The Security Technical Implementation Guides (STIGs) are the
configuration standards for DOD IA and IA-enabled devices/systems. Since 1998,
DISA has played a critical role enhancing the security posture of DoD’s
security systems by providing the Security Technical Implementation Guides
(STIGs). The STIGs contain technical guidance to “lock down” information
systems/software that might otherwise be vulnerable to a malicious computer
attack.
This GCN article also makes a good point about using the
STIG as a security baseline:
If you look at any best practice guidance, regulation or
standards around effective IT security out on the market today, you will see
that it advises organizations to ensure their computing systems are configured
as securely as possible and monitored for changes.
If you look at any best practice guidance, regulation or
standards around effective IT security out on the market today, you will see
that it advises organizations to ensure their computing systems are configured
as securely as possible and monitored for changes.
What STIG Means for Docker’s Customers
So what’s in the STIG? STIGs are formatted in xml and
require the STIG viewer to read. The STIG viewer is a custom GUI written in
Java (see DISA’s page on STIG Viewing tools for more). Specifically you can
find the latest DISA STIG Viewer here.
The Docker Enterprise STIG can be found here: Docker
Enterprise 2.x Linux/UNIX STIG – Ver 1 Rel 1
(You will need to unzip it). Although the current STIG calls out Docker
Enterprise 2.x, it absolutely applies to Docker Enterprise 3.X!
Lets dig into the STIG itself. There is some good
information about the STIG and DISA’s authority from Overview pdf.
From the STIG itself there are only 100 controls. For the uninitiated, a control is config that
needs to be checked and possibly changed. This is the real meat and potatoes
for the System Administrators.
Here is the breakdown:
Category Controls
CAT 1
23
CAT 2 72
CAT 3 5
Total 100
CAT 1 controls are the most important controls to pay
attention to. As you can see there are only 23 CAT 1, and the bulk of those
controls are “what not to do” controls — checks to ensure an undesirable
situation is not occurring. With only 100 total controls, there is not a lot of
work to do to harden Docker Enterprise.
The STIG will be updated as often as needed. We want to
ensure that all our customers and partners have access to the latest security
information around Docker Enterprise.
Why STIG Matters to Docker
We are thankful to our sponsors within DISA that paved the
way for us to be accepted into the STIG process and complete it. The primary
goal of the Docker Public Sector team is to provide technology that serves
those who serve our country. Completing the STIG process was a big step for us
in gaining a level of trust necessary to fulfill that goal.
We have always felt that new technology like Docker is
tangibly valuable to production enterprise and mission environments only if we
do our due diligence with security through the certifications and evaluations
that are required for our technology to be approved and used safely in real
world
environments.[Source]-https://www.docker.com/blog/docker-enterprise-first-disa-stig-container-platform/
Beginners & Advanced level Docker Certification in Mumbai. Asterix
Solution's 25 Hour Docker Training gives broad hands-on practicals.
Comments
Post a Comment