I’ve been asked a lot of questions recently about an announcement last week regarding a partnership to provide secure containers to the United States Public Sector market. We’ve been working on something that may seem similar to other security offerings for over a year. I want to clarify the difference between the Cloudera/Docker, Inc. offering and other offerings in the general market. It is a unique collaboration that results in a net-new product for the market. Though our core product, the Enterprise Data Hub, has a role to play in modern data management we are not announcing support for running CDH/EDH inside Docker containers.
Cloudera has a corporate-to-corporate agreement with Docker, Inc. and, while both of our platforms are built on open source technologies, we have created a fully supported secure container early access product. This product benefits greatly from roadmap alignment from both companies. It is in contrast to other offerings that are simply waiting for open source updates upstream and reacting to changes in Docker’s product.
The integrated solution is based on Cloudera Navigator Encrypt running on Docker’s CS Engine. Docker has security products also (Trusted Registry, etc.) and aligning these security concerns has been a tough, but exciting journey. For example, both our companies have integrated 17 code-level changes since January 2016. It’s far beyond simply downloading open source and bolting on encryption.
Docker and Cloudera worked in close collaboration to meet the specific needs of U.S. government agencies. Because these agencies often have sensitive workloads where portability and security are necessary, the two companies worked together on an integration that would protect the code and data running in containerized workloads. Docker and Cloudera made sure that all data and code are protected both in transit, at rest, and at runtime.
Cloudera Navigator Encrypt transparently encrypts and secures data at rest without requiring changes to applications and ensuring there is minimal performance lag in the encryption or decryption process. Advanced key management with Cloudera Navigator Key Trustee Server and process-based access controls in Navigator Encrypt enable organizations to meet compliance regulations and help protect organizations from unauthorized parties or malicious actors gaining access to encrypted data. Docker wraps software in a complete filesystem aka container that includes an application and its dependencies which allows applications to run anywhere. In addition, Docker Content Trust based on The Update Framework (TUF) provides the most secure content distribution model for verifying the creator of a specific dockerized application.
Cloudera Navigator Encrypt Key Trustee Server and Client already possess Federal Information Processing Standard (FIPS) 140-2 compliance, the U.S. government computer security standard used to approve cryptographic modules. The partnership with Docker enables the pursuit of an end-to-end FIPS-validated product to include the Docker platform itself, as well as the encryption and key management platform.
Docker provides an abstraction layer for Cloudera’s Navigator Encrypt and the Key Trustee Server, allowing the exchange of dockerized applications so they can be run, but not seen, modified, or tampered with. It has complete administrative separation of duties where administrators, platform owners and users, whether trusted or untrusted, cannot impact each other. Multiple points of control, application fingerprinting, and user roles and network-based authentication are included.
The solution provides the tightest definition of secure data sharing to date. We are pleased to have the opportunity to bring the industry leading security controls that are already a core part of Cloudera’s business to the realm of dockerized applications and supporting the U.S. government with their most challenging problems.
The solution is operating system and cloud agnostic. This early access product is currently available to government agencies within the U.S. and should be available outside the U.S. soon.
For more information contact firstname.lastname@example.org.