Docker EE 2.0 choice security agility by Erik Tan,Tech Insights Singapore - 20th June

Docker EE 2.0 choice security agility by Erik Tan,Tech Insights Singapore - 20th June
Docker EE 2.0 Choice, Security & Agility Eric Tan Solutions Engineer
Evolution of Containers
Containers are the “Fastest Growing Cloud Enabling Technology” By 2020, more than 50% of global organizations will be running containers in production. -Gartner Title source: 451 Research
Static Website ? ? ? ? ? ? ? ? Web Frontend ? ? ? ? ? ? ? ? Background Workers ? ? ? ? ? ? ? ? User DB ? ? ? ? ? ? ? ? Analytics DB ? ? ? ? ? ? ? ? Queue ? ? ? ? ? ? ? ? Desktop Test/QA Cluster Production Cluster Public Cloud Data Center Mainframe Windows Server Edge Device The “Matrix from Hell” Breeds Complexity
The “Matrix from Hell” Breeds Complexity Static Website ? ? ? ? ? ? ? Web Frontend ? ? ? ? ? ? ? Background Workers ? ? ? ? ? ? ? User DB ? ? ? ? ? ? ? Analytics DB ? ? ? ? ? ? ? Queue ? ? ? ? ? ? ? Desktop Test/QA Cluster Production Cluster Public Cloud Data Center Mainframe Windows Server Edge Device — Containers Cut Complexity
The Docker Enterprise Edition
Docker Enterprise Edition is More than Containers + Orchestration... CONTAINER ORCHESTRATION Container placement & schedulingDOCKER ENTERPRISE EDITION CONTAINER Image format & runtime Lifecycle Mgt Governance Security Automated, Open and Extensible Orchestration Organizations also require: Lifecycle Management + Governance + Security + Automation + Support
Only Docker Delivers All Three Core Enterprise Requirements • Hybrid and multi-clouds • Windows and Linux • Traditional apps and microservices • DevOps and existing ops processes Choice AgilitySecurity • Unified operations • Rapid delivery and response • Cost efficiency • Safer apps • Governance • Chain of custody • Threat mitigation Only Docker EE Gives Global 2000 Customers the Following:
450+ Enterprise IT Customers Trust Docker Enterprise Edition Financial Services Healthcare & Science Tech Oil & Gas / Energy Insurance Public Sector
DockerCon 2018 Announcements
• Docker Enterprise Edition expands containerization across different application types and infrastructure: − Docker debuts federated application management across hybrid/multi-cloud infrastructure − Docker demonstrates Kubernetes for Windows Server containers • Docker unveils template-based workflows for Docker Desktop to extend containerization to a broader range of enterprise developers Docker Announces New Capabilities Across the Application Lifecycle from Developer Desktop through Production
• Most enterprise organizations have a hybrid and multi-cloud strategy • Containers helped to make applications portable, but the management of these containers is not: − Each cloud is managed under a separate operational model, duplicating efforts − Different security and access policies across each platform − Content is hard to distribute and track − Poor infrastructure utilization still remains • Emergence of cloud-hosted Kubernetes is exacerbating the challenges with managing containerized applications across multiple clouds Containers are Portable Today; The Management of Containers is Not Private Data Center
Use Cases that are Driving the Need for the Federated Management of Containerized Applications Run dev/test in the cloud, move production to own data centers Run the same application in multiple countries for data locality & compliance reasons Allow different teams to access specific clouds for their app services (e.g. IoT, AI/ML, Big Data) Extend availability across multiple locations Cloud Bursting / Load Balancing Planned Migration for DR
ENTERPRISE EDITION INTEGRATED SECURITY CONTAINER ENGINE POLICIES & GOVERNANCE AUTOMATION & EXTENSIBILITY REGISTRY SERVICES DEVELOPER SERVICES ORCHESTRATION NETWORKING & STORAGE APP LIFECYCLE MANAGEMENT CERTIFIED OPERATING SYSTEMS & INFRASTRUCTURE Cloud VM Bare Metal Docker Enterprise Edition Today: Multi-Linux, Multi-OS and Multi-Cloud; No- Lock-In
Only Docker Delivers All Three Core Enterprise Requirements Choice SecurityAgility Only Docker Enterprise Edition Can Deliver Federated Application Management ● Not tied to a single OS or VM model ● Only Docker supports leading cloud-hosted Kubernetes services ● Docker EE has proven ROI and infrastructure savings ● Accelerate onboarding with uniform operating model across clouds ● Automation of application lifecycle policies ● Centralized and federated source of truth for content in Docker Trusted Registry ○ Enterprise-grade image management ● Integrated security policies across clouds
DOCKER ENTERPRISE EDITION Federated Application Management 1. Secure, federated content distribution 2. Automation and governance across multiple clouds Only Enterprise-Ready Container Platform to Deliver: Introducing Federated Application Management Across Hybrid/Multi-cloud Infrastructure 1 2 EE EE Azure (AKS) Google (GKE)
Secure, Federated Content Distribution SOLUTION • Centralize content to Docker’s secure software supply chain • Maintain a secure chain of custody as apps are deployed, migrated or replicated to various clouds PROBLEM • Cloud-based registries create unmanaged content silos • No ability to collaborate across teams 1 Private Data Center Docker Trusted Registry Azure (AKS) Google (GKE)
Governance and Policy-Based Automation Across Docker and Cloud- Hosted Kubernetes SOLUTION • Get an aggregated view of all containerized applications • Control where applications are deployed, migrated or replicated through a single management UI • Global access and policy definitions apply across clouds DOCKER ENTERPRISE EDITION Federated Application Management PROBLEM • Fragmented visibility of applications across container clusters and services • Shadow IT breaks corporate security and compliance policies 2 EE EE Azure (AKS) Google (GKE) MyApp MyApp MyApp App App AppApp App Security Governance Policies
Docker Continues Leadership with Windows Containers Sep 2016: Windows Server includes Docker EE Engine 2H 2018: Kubernetes on Windows Server with Docker EE Oct 2014: Joint engineering with Microsoft begins Aug 2017: Docker EE supports mixed Windows and Linux clusters ● Docker continues to drive innovation and adoption of Windows containers in collaboration with Microsoft ○ Docker and Microsoft have a joint engineering and support relationship ○ DockerCon speakers, Jabil and GE Digital, both speaking about their Windows container usage for modernizing of legacy .NET apps and analytics ● Existing R&D work with Windows Server makes Kubernetes integration possible
Deploy Windows- and Linux-based Applications with Both Swarm and Kubernetes in Docker Enterprise Edition ORCHESTRATION Swarm KubernetesOR DOCKER ENTERPRISE EDITION Docker Enterprise Cluster with Windows Server and Linux Nodes • Deploy .NET and Windows Server- based apps with both Swarm and Kubernetes • Swarm and Kubernetes run interchangeably in the same cluster DOCKER SOLUTION BENEFITS • Gain more efficiencies with less cluster sprawl • Empower migration to the cloud • Modernize .NET applications and/or migrate applications off Windows Server 2003/2008
Docker Desktop Template-Based Workflows Extend Containerization to a Broader Range of Enterprise Developers • Docker Desktop (Docker for Mac and Docker for Windows) is the most popular tool for developers to start working with containers − Millions of users; AND over 1 million new developers in the last year − Achieved Kubernetes conformance • Docker Desktop is expanding containerization to a wider audience of enterprise developers − Give developers a choice to leverage a guided template or native CLI Via CLI Via GUI IDE Integration MyApp
Tech Preview: New Easy Way to Design Containerized Applications 1 2Select custom application or pre-approved template Customize and validate Baseline Dockerfile and Compose files are auto-generated and ready for developer code • Just bring your code: − Design an app from pre-approved templates or select your services − Auto-generate standard Dockerfiles and Compose files − Integrate to existing IDE tools to customize, build, and ship
CHOICE
Docker Enterprise Edition is certified to run on CentOS, RHEL, Ubuntu, SUSE, Oracle Linux and Windows Server and can be deployed into all major public clouds while maintaining the same operating experience companies with 1,000+ employees have multiple clouds81% Source: https://w3techs.com/technologies/details/os-linux/all/all Source: Rightscale 2018 State of the Cloud Report CHOICE Only Container Platform that is Multi-Linux, Multi-OS and Multi- Cloud
Existing Application Modern Methodologies Integrate to CI/CD and automation system Convert to a container with Docker EE Modernize Traditional Applications Modern Infrastructure Built on premises, in the cloud, or as part of a hybrid environment. Modern Microservices Add new services or start peeling off services from monolith code base App CHOICE Only Container Platform Designed for both Microservices and Traditional Applications
Node Worker Node Worker Node Worker Node Worker Worker Nodes App-Net: 10.0.0.0/24 10.0.0.1 10.0.0.2 • Leverage best-in-class technologies across Windows and Linux • Connect Windows and Linux containers in the same cluster through a common overlay network • Build Compose files for hybrid applications • Leverage labels and constraints for intelligent placement and scheduling CHOICE Only Container Platform to Deliver First-Class Support and Interoperability across Linux and Windows
Choice of Swarm and Kubernetes: Only Solution That Lets You Run Swarm Today, Kubernetes Tomorrow and Vice Versa Docker EE is the only platform that allows you to run both Swarm and Kubernetes in the same cluster: ● Developers do not need to select orchestrators ● Freedom to change orchestrators as needs arise ● EE Manager Nodes are both Swarm and Kubernetes enabled ● Every worker node is both Kubernetes API- and Swarm API-ready Secure Cluster Management App Scheduler Swarm KubernetesOR Docker EE Cluster Docker EE Orchestration Node Node Node CHOICE
Deploy Applications with Either Compose or Kubernetes YAML Docker Compose Kubernetes YAML Node NodeNode Node • Simple Compose spec for developers, IT ops have multiple options for deployment • Migrate existing Docker apps to Kubernetes at your own pace KEY BENEFITS • Use existing Docker Compose files and choose at runtime to deploy on either Swarm or Kubernetes FEATURE / CAPABILITY CHOICE
Deploy Kubernetes Apps via UI or CLI • Docker EE uses standard Kube API and CLI • Use UCP UI to upload yaml files for deploying Kube workloads • Both methods enforce permissions and limit unauthorized access −Client bundle to connect local client to UCP controller with user certs CHOICE
AGILITY
Distributed Supply Chain Supports Global Development and Deployment • Enable “follow the sun” development with secure image promotion and image caching • Rapidly update software when new patches need to be distributed globally KEY BENEFITS • Image mirroring: Push and pull images from one registry to another based on pre- defined policies • Image caching: Extend the registry to a local cache while maintaining secure posture via encryption and access controls FEATURE / CAPABILITY Primary Registry Mirror Registry HQ Cache AGILITY
Natively Integrated Networking Service Discovery Load Balancing Layer 7 Routing NGINX built-in, but swappable NGINX built-in, but swappable Flexible and Extensible Networking and Routing Options Docker Swarm AGILITY
Swarm: Application (Layer 7) Ingress Routing 33 Upstream External LB Traffic via DNS (http port 80, https port 443, etc) Worker Node App2 Ingress LB Node Proxy Ingress LB Node Proxy Worker Node Worker Node acme.com/app1 acme.com/app2 App1 App1 App2 AGILITY • Intelligently route traffic to the appropriate nodes with performance and security • Integrate with preferred load balancing tools KEY BENEFITS • Hostname and Path-based routing • SSL termination • Included load balancing proxy with NGINX, swappable for others FEATURE / CAPABILITY
Docker EE Delivers Infrastructure Savings and Productivity Gains Financial Services Case Study Applications 500 VMs 5,300 Cores 22,000 $12 million CPU utilization 57% max Docker EE Cuts TCO by 41%, Saves $28M over 5yrs Applications 500 VMs 1,320 Cores 13,100 $7 millionCPU utilization ~90% max 75% reduction 40% reduction 41% reduction 2x improvement Annualized Cost AGILITY
Docker EE Makes Scaling Your Environment Easy Docker EE Management Console Docker EE Control Plane and Cluster Management Node Node Node • Single command to join new Swarm/Kubernetes nodes into a secure cluster • Automatically integrate new nodes into existing access controls and policies • No need to install separate services; all nodes come pre- installed with necessary services KEY BENEFITS Swarm-mode cluster with Kubernetes-ready Linux nodes Node Node AGILITY
Unified Operations Enable Your Existing Team to Operationalize Docker Containers in Production Docker EE simplifies and automates the day-to-day application delivery and operations of containers, increasing what your existing team can support With Docker Enterprise Edition Other Container Platforms SKILLS REQUIRED Unbudgeted new headcount for operational expertise and support Existing team AGILITY
SECURITY
> _ *** *** *** Build With Integrity • Verify, sign, & scan • Secure image storage • Secure sensitive data Trusted Automation (CI/CD) • Verifiable chain of custody • Policy-based automation Run Safe • Secure by default • Security Zones • Governance controls Docker EE Secures the End-to-End Software Supply ChainSECURITY
• Respond faster to changing organizational demands • Drive higher infrastructure and operational efficiencies and avoid cluster sprawl KEY BENEFITS • Secure Environment Zones −Logical and physical partitioning − Role-based permissions for delivery and operations FEATURE / CAPABILITY Operations Team TEST STAGING PRODUCTION DOCKER ENTERPRISE EDITION MANAGEMENT PLANE Single cluster, multiple divided zones SANDBOX Define Secure Environment Zones to Avoid Costly Cluster SprawlSECURITY
Node Worker Node Worker Node Worker Node Worker swarm mode cluster docker enterprise edition universal control plane trusted registry Node Worker Node Worker .NET Dev Team Using Swarm Java Dev Team using K8s Java Dev Team Using Swarm Ops Team Define Secure Application Zones to Enforce IT Governance • Easily define resource-based permissions to different teams and expose only the allotted resources to each team • Re-allocate resources as needed KEY BENEFITS • Integrate with LDAP/AD and create granular and flexible access controls • Combine Namespace isolation with node-based isolation for increased separation FEATURE / CAPABILITY SECURITY
Threat Mitigation: Scan Container Images for VulnerabilitiesSECURITY • Reduce risk by identifying security issues early • Stop automation workflows when security issues discovered • Ensure compliance with alerts for new vulnerabilities KEY BENEFITS • Integrated security scanning and vulnerability monitoring with customized alerts • Binary level scanning provides deep visibility into all components FEATURE / CAPABILITY
Threat Mitigation: Audit All Image Layers and ComponentsSECURITY • Ensure compliance with an audit log of all application dependencies • Track supporting library versions and licenses KEY BENEFITS • Get a full Bill of Materials for all of your Docker images that details all application and library dependencies • Detailed visibility of all Layers including those from Base Images FEATURE / CAPABILITY
Access Control: Image PromotionSECURITY FEATURE / CAPABILITY KEY BENEFITS • Restrict access to images to the right users. • Track and lock down on image versions. • Promotes “blessed” images from one repository to a different repository in the same DTR using a policy. • Repositories each have their own access control. • Images can be re-tagged automatically to a new flag.
Maintaining a Globally Consistent Supply Chain • Create a single source of truth for containerized applications no matter where they are deployed • Maintain a single supply chain for a globally-distributed enterprise footprint KEY BENEFITS • Connect multiple Docker EE clusters to a single private registry • Validate image signatures before deployment FEATURE / CAPABILITY Docker Trusted Registry Docker EE Cluster Docker EE Cluster Docker EE Cluster Docker EE Cluster SECURITY
Trusted Automation, With Verifiable Chain of Custody ● Image signing and scanning of applications to validate and verify content ● Content Trust: Only run applications that have the required signatures ● Automated policies for image promotions across the app development lifecycle dev/hello-world No ‘critical’ or ‘major’ vulnerabilities prod/hello-world App.go App.go SECURITY
THANK YOU :)

Check these out next

Docker EE 2.0 choice security agility by Erik Tan,Tech Insights Singapore - 20th June

Recomendados

Más contenido relacionado

Presentaciones para ti(20)

Similar a Docker EE 2.0 choice security agility by Erik Tan,Tech Insights Singapore - 20th June(20)

Más de Ashnikbiz(20)

Último(20)

Docker EE 2.0 choice security agility by Erik Tan,Tech Insights Singapore - 20th June