Docker Enterprise was built to be secure by default. When you build a secure by default platform, you need to consider security validation and governmental use. Docker Enterprise has become the first container platform to complete the Security Technical Implementation Guides (STIG) certification process. Thanks to Defense Information Systems Agency (DISA) for its support and sponsorship. Being the first container platform to complete the STIG process through DISA means a great deal to the entire Docker team. The STIG took months of work around writing and validating the controls. What does it really mean? Having a STIG allows government agencies to ensure they are running Docker Enterprise in the most secure manner. The STIG also provides validation for the private sector. One of the great concepts with any compliance framework, like STIGs, is the idea of inherited controls. Adopting a STIG recommendation helps improve an organization’s security posture. Here is a great blurb from DISA’ site:
The Security Technical Implementation Guides (STIGs) are the configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA has played a critical role enhancing the security posture of DoD’s security systems by providing the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to “lock down” information systems/software that might otherwise be vulnerable to a malicious computer attack.This GCN article also makes a good point about using the STIG as a security baseline:
If you look at any best practice guidance, regulation or standards around effective IT security out on the market today, you will see that it advises organizations to ensure their computing systems are configured as securely as possible and monitored for changes. If you look at any best practice guidance, regulation or standards around effective IT security out on the market today, you will see that it advises organizations to ensure their computing systems are configured as securely as possible and monitored for changes.
What STIG Means for Docker’s CustomersSo what’s in the STIG? STIGs are formatted in xml and require the STIG viewer to read. The STIG viewer is a custom GUI written in Java (see DISA’s page on STIG Viewing tools for more). Specifically you can find the latest DISA STIG Viewer here. The Docker Enterprise STIG can be found here: Docker Enterprise 2.x Linux/UNIX STIG – Ver 1 Rel 1 (You will need to unzip it). Although the current STIG calls out Docker Enterprise 2.x, it absolutely applies to Docker Enterprise 3.X! Lets dig into the STIG itself. There is some good information about the STIG and DISA’s authority from Overview pdf. From the STIG itself there are only 100 controls. For the uninitiated, a control is config that needs to be checked and possibly changed. This is the real meat and potatoes for the System Administrators. Here is the breakdown: