Docker advances application security with container-native secrets management

 Docker today announced that the latest release of Docker Datacenter includes container-native secrets management, a critical element for ensuring the security of production-grade applications across the entire software supply chain.

Secrets such as API keys, encryption keys and passwords are required for applications to securely interact and their safe operational management is critical to enterprise data integrity and security compliance strategies. Docker secrets management is integrated into Docker Datacenter and specifically architected for containerized environments, providing the only available solution for trusted delivery across any infrastructure. Docker secrets uniquely addresses enterprise requirements for “usable security” by providing a single standardised interface for all applications, making it easy to secure applications whether for Dev or Ops or for Dockerizing traditional apps or microservices. The secrets are encrypted in transit and at rest, leveraging Docker’s built in orchestration capabilities to deliver defined secrets only to the containers running the service associated with it.

“Docker Secrets is another example of bolstering containers with the security, encryption and other capabilities that enterprise organisations expect and demand,” said Jay Lyman, principal analyst with 451 Research. “As containers continue to move beyond test and development and pilot projects to production implementation in the enterprise, the ability to provide strong isolation, safer defaults and safer container applications is critical.”

With other secrets management solutions, organisations are forced to choose either a solution that is not designed for containers and is “bolted on” to the application platform or one that is built into the orchestrator but inherently insecure and unable to support multiple applications in the same cluster. Because containers are dynamic and portable, traditional static systems cannot provide “just in time” access to secrets as new containers are instantaneously spun up for scaling, fault tolerance, etc. In lieu of an easy-to-use solution, developers often place passwords and keys in the application’s GitHub repos, making it easy for a malicious actor to compromise an organisation’s applications.

In contrast, Docker Datacenter offers a comprehensive security platform that provides container-native secrets management in combination with Docker’s other security capabilities such as image signing and verification, image scanning, automatic TLS encryption and more. Docker Datacenter offers enterprises a globally managed user base and integration with their directory services, providing the “glue” between all aspects of the application, the users in the organisation and “rules” on how they are allowed to interact together from one end of the supply chain to the other. This means IT and security operations teams can define explicit policies aligned with their compliance rules, provide individual teams with granular access to specific secrets and enable these teams to apply secrets to certain applications. It is only with this comprehensive yet easy-to-use framework that organisations can be assured of safer applications across the entire software supply chain.

“Docker’s secret management capability is the latest security enhancement integrated into the Docker platform as part of our ongoing effort to ensure applications our safer in a containerized environment, ” said Nathan McCauley, Security Director at Docker “Enterprises in the financial services and government sectors with the highest bars for security have recognized that our solution can be a cornerstone to their overall hybrid cloud security strategy. Docker secrets management, as with all aspects of security handled in Docker Datacenter, provides organisations with one security model that can be applied and managed uniformly on-premise, in the cloud and across cloud providers.”

Usable Security 

Docker’s security solution is the only integrated solution designed with both Dev and Ops workflows in mind. Docker presents both types of users with a common, standard interface to collaborate on the security profile of the application. Developers can continue to use their favourite Docker developer tools and simply add the appropriate secrets reference, while Ops can take that file, deploy directly to production and even move to a different infrastructure – without any change to the app or the security profile. This reduces complexity and friction when adopting additional security practices into an existing application pipeline.

Trusted delivery is critical to safeguarding not only the secrets (so they stay secret) but more importantly, it is vital for the integrity of the the applications themselves. Docker includes a default encrypted distributed datastore as a default component of its built-in orchestration solution. With this approach, secrets are encrypted at rest in the cluster managers. When containers are provisioned, the secrets are delivered to those containers securely over an encrypted TLS connection. The secrets are always secure because they are only delivered to the authorised application running in the container and are never saved to the nodes in the cluster, so organisations can be assured that their applications are always safer when deployed in a Docker environment.

Security Across all Environments

Portability is a fundamental characteristic of what Docker provides for all applications, ensuring that the integrity of the application is maintained across all environments. This is critical for enterprises embarking on hybrid-cloud or multi-cloud strategies and helps avoid siloed security approaches. Docker Datacenter, with its tight enterprise directory systems integration and fine-grained RBAC model, allows for a uniform application security model backed by common tooling. From a compliance standpoint, this means enterprises can streamline their efforts and upgrade traditional applications to a modern security architecture without rewriting code

Secrets management is available in Docker Datacenter as part of Docker’s 1.13.1 release. For more information: