Docker Enterprise: The First DISA STIG’ed Container Platform!

Staff - October 9, 2019 - , , , , ,

Docker Enterprise was built to be secure by default. When you build a secure by default platform, you need to consider security validation and governmental use. Docker Enterprise has become the first container platform to complete the Security Technical Implementation Guides (STIG) certification process. Thanks to Defense Information Systems Agency (DISA) for its support and sponsorship. Being the first container platform to complete the STIG process through DISA means a great deal to the entire Docker team.

The STIG took months of work around writing and validating the controls. What does it really mean? Having a STIG allows government agencies to ensure they are running Docker Enterprise in the most secure manner. The STIG also provides validation for the private sector. One of the great concepts with any compliance framework, like STIGs, is the idea of inherited controls.  Adopting a STIG recommendation helps improve an organization’s security posture. Here is a great blurb from DISA’ site:

The Security Technical Implementation Guides (STIGs) are the configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA has played a critical role enhancing the security posture of DoD’s security systems by providing the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to “lock down” information systems/software that might otherwise be vulnerable to a malicious computer attack.

banner of the DoD Cyber Exchange Public's website STIGs page

This GCN article also makes a good point about using the STIG as a security baseline:

If you look at any best practice guidance, regulation or standards around effective IT security out on the market today, you will see that it advises organizations to ensure their computing systems are configured as securely as possible and monitored for changes.

If you look at any best practice guidance, regulation or standards around effective IT security out on the market today, you will see that it advises organizations to ensure their computing systems are configured as securely as possible and monitored for changes.

What STIG Means for Docker’s Customers

So what’s in the STIG? STIGs are formatted in xml and require the STIG viewer to read. The STIG viewer is a custom GUI written in Java (see DISA’s page on STIG Viewing tools for more). Specifically you can find the latest DISA STIG Viewer here.

screenshot of DISA STIG Viewer

The Docker Enterprise STIG can be found here: Docker Enterprise 2.x Linux/UNIX STIG – Ver 1 Rel 1  (You will need to unzip it). Although the current STIG calls out Docker Enterprise 2.x, it absolutely applies to Docker Enterprise 3.X!

Lets dig into the STIG itself. There is some good information about the STIG and DISA’s authority from Overview pdf.

From the STIG itself there are only 100 controls.  For the uninitiated, a control is config that needs to be checked and possibly changed. This is the real meat and potatoes for the System Administrators.

Here is the breakdown:

Category Controls
CAT 1 23
CAT 2 72
CAT 3 5
Total 100

CAT 1 controls are the most important controls to pay attention to. As you can see there are only 23 CAT 1, and the bulk of those controls are “what not to do” controls — checks to ensure an undesirable situation is not occurring. With only 100 total controls, there is not a lot of work to do to harden Docker Enterprise.

The STIG will be updated as often as needed. We want to ensure that all our customers and partners have access to the latest security information around Docker Enterprise.

Why STIG Matters to Docker

We are thankful to our sponsors within DISA that paved the way for us to be accepted into the STIG process and complete it. The primary goal of the Docker Public Sector team is to provide technology that serves those who serve our country. Completing the STIG process was a big step for us in gaining a level of trust necessary to fulfill that goal.

We have always felt that new technology like Docker is tangibly valuable to production enterprise and mission environments only if we do our due diligence with security through the certifications and evaluations that are required for our technology to be approved and used safely in real world environments.

To learn more about why Docker Enterprise is secure by default:

Chris Cyrus, Director Enterprise Sales at Docker, also contributed to this blog post.

banner-img
From Virtualization to Containerization
Learn how to move from monolithic to microservices in this free eBook
Download Now
Radio Cloud Native – Week of May 11th, 2022

Every Wednesday, Nick Chase and Eric Gregory from Mirantis go over the week’s cloud native and industry news. This week they discussed: Docker Extensions Artificial Intelligence shows signs that it's reaching the common person Google Cloud TPU VMs reach general availability Google buys MobileX, folds into Google Cloud NIST changes Palantir is back, and it's got a Blanket Purchase Agreement at the Department of Health and Human …

Radio Cloud Native – Week of May 11th, 2022
Where do Ubuntu 20.04, OpenSearch, Tungsten Fabric, and more all come together? In the latest Mirantis Container Cloud releases!

In the last several weeks we have released two updates to Mirantis Container Cloud - versions 2.16 and 2.17, which bring a number of important changes and enhancements. These are focused on both keeping key components up to date to provide the latest functionality and security fixes, and also delivering new functionalities for our customers to take advantage of in …

Where do Ubuntu 20.04, OpenSearch, Tungsten Fabric, and more all come together? In the latest Mirantis Container Cloud releases!
Monitoring Kubernetes costs using Kubecost and Mirantis Kubernetes Engine [Transcript]

Cloud environments & Kubernetes are becoming more and more expensive to operate and manage. In this demo-rich workshop, Mirantis and Kubecost demonstrate how to deploy Kubecost as a Helm chart on top of Mirantis Kubernetes Engine. Lens users will be able to visualize their Kubernetes spend directly in the Lens desktop application, allowing users to view spend and costs efficiently …

Monitoring Kubernetes costs using Kubecost and Mirantis Kubernetes Engine [Transcript]
WHITEPAPER
The Definitive Guide to Container Platforms
READ IT NOW
Mirantis Webstore
Purchase Kubernetes support
SHOP NOW
LIVE WEBINAR
Manage your cloud-native container environment with Mirantis Container Cloud

Wednesday, January 5 at 10:00 am PST
SAVE SEAT