How Docker Swarm Uses Transparent Root Rotation to Improve Security
Docker's swarmkit integrates multiple secure mechanisms including one known as Transparent Root Rotation.
AUSTIN, Texas — There are multiple container orchestration systems in the market today, but according to Diogo Monica, security lead at Docker Inc., Docker Swarm is the most secure.
Monica detailed his views in a highly-rated session at the DockerCon 17 conference here titled Secure Substrate: Least Privilege Container Deployment.
Monica said swarmkit is a least-privilege container orchestrator. While there are many different security capabilities in swarmkit, there is one in particular that sets it apart and is the reason why Monica is confident that it is the world's most secure container orchestrator.
The feature is called Transparent Root Rotation.
"For security engineers, there is a lot of academic design that usually ends in a root of trust," Monica said. "The root of trust for a public key infrastructure approach like swarmkit, is usually the root CA (certificate authority), private key and certificate."
The problem is what happens when a manager node that has access to the certificate authority gets compromised. That's the challenge that Transparent Root Rotation aims to help solve.
"Even though there is no way of guaranteeing that a malicious attacker that steals a private root key will not cause mayhem in a system, we can severely limit the amount of exposure that a system has," Monica said.
"What Transparent Root Rotation means is that if you are no longer happy with your root of trust, you can simply add a new one," he said.
There are four steps in the Transparent Root Rotation model. Initially all the worker and manager nodes trust, for example, the blue certificate authority. In the second step the red root of trust is introduced, with the manager node issuing new certificates from that new source. At that point the manager trusts both the blue and red certificate authorities.
In the third step, the manager node goes to all the nodes and forces them to do a certificate rotation to swap certificates, though not changing the actual root of trust yet. In the fourth step, with all the nodes in the cluster trusting both the old and the new CA and having certificates issued by the new CA, the old CA can be removed, reducing the risk of a compromised certificate authority.
"Features like this (Transparent Root Rotation), we believe, make swarmkit very exciting," Monica said.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.