Dockercon 2015 - Faster Cheaper Safer

Faster, Cheaper, Safer
Secure Microservice Architectures using Docker
Adrian Cockcroft @adrianco
Technology Fellow - Battery Ventures
June 2015

Key Goals of the CIO?
Align IT with the business
Develop products faster
Try not to get breached

Security Blanket Failure
Insecure applications
hidden behind firewalls
make you feel safe until
the breach happens…
http://peanuts.wikia.com/wiki/Linus'_security_blanket

Developer responsibilities:
Faster, cheaper, safer

“You build it, you
run it.”
Werner Vogels 2006

DevOps
Continuous Delivery
No meetings, no tickets
Self service tools and APIs

Developer Developer
Run What You Wrote
Developer Developer

Developer Developer
Run What You Wrote
Micro
service
Micro
service
Micro
service
Micro
service
Micro
service
Micro
service
Micro
service
Developer Developer

Developer Developer
Run What You Wrote
Micro
service
Micro
service
Micro
service
Micro
service
Micro
service
Micro
service
Micro
service
Developer Developer
Monitoring
Tools

DeveloperDeveloper Developer
Run What You Wrote
Micro
service
Micro
service
Micro
service
Micro
service
Micro
service
Micro
service
Micro
service
Developer Developer
Monitoring
Tools

Run What You Wrote
Micro
service
Micro
service
Micro
service
Micro
service
Micro
service
Micro
service
Micro
service
Developer Developer
Site
Reliability
Monitoring
Tools
Availability
Metrics
99.95% customer
success rate

Run What You Wrote
Micro
service
Micro
service
Micro
service
Micro
service
Micro
service
Micro
service
Micro
service
Developer Developer
Manager Manager
Site
Reliability
Monitoring
Tools
Availability
Metrics
99.95% customer
success rate

Run What You Wrote
Micro
service
Micro
service
Micro
service
Micro
service
Micro
service
Micro
service
Micro
service
Developer Developer
Manager Manager
VP
Engineering
Site
Reliability
Monitoring
Tools
Availability
Metrics
99.95% customer
success rate

Observe
Orient
Decide
Act Continuous
Delivery

Observe
Orient
Decide
Act
Land grab
opportunity Competitive
Move
Customer Pain
Point
Measure
Customers
Continuous
Delivery

Observe
Orient
Decide
Act
Land grab
Move
Customer Pain
Point
INNOVATION
Measure
Customers
Continuous
Delivery

Observe
Orient
Decide
Act
Land grab
Move
Customer Pain
Point
Analysis
Model
Hypotheses
INNOVATION
Measure
Customers
Continuous
Delivery

Observe
Orient
Decide
Act
Land grab
Move
Customer Pain
Point
Analysis
Model
Hypotheses
BIG DATA
INNOVATION
Measure
Customers
Continuous
Delivery

Observe
Orient
Decide
Act
Land grab
Move
Customer Pain
Point
Analysis
JFDI
Plan Response
Share Plans
Model
Hypotheses
BIG DATA
INNOVATION
Measure
Customers
Continuous
Delivery

Observe
Orient
Decide
Act
Land grab
Move
Customer Pain
Point
Analysis
JFDI
Plan Response
Share Plans
Model
Hypotheses
BIG DATA
INNOVATION
CULTURE
Measure
Customers
Continuous
Delivery

Observe
Orient
Decide
Act
Land grab
Move
Customer Pain
Point
Analysis
JFDI
Plan Response
Share Plans
Incremental
Features
Automatic
Deploy
Launch AB
Test
Model
Hypotheses
BIG DATA
INNOVATION
CULTURE
Measure
Customers
Continuous
Delivery

Observe
Orient
Decide
Act
Land grab
Move
Customer Pain
Point
Analysis
JFDI
Plan Response
Share Plans
Incremental
Features
Automatic
Deploy
Launch AB
Test
Model
Hypotheses
BIG DATA
INNOVATION
CULTURE
CLOUD
Measure
Customers
Continuous
Delivery

Low Cost of Change Using Docker
Developers
• Compile/Build
• Seconds
Extend container
• Package dependencies
• Seconds
PaaS deploy Container
• Docker startup
• Seconds

Low Cost of Change Using Docker
Fast tooling supports continuous delivery of many tiny changes
Developers
• Compile/Build
• Seconds
Extend container
• Package dependencies
• Seconds
PaaS deploy Container
• Docker startup
• Seconds

What Happened?
Rate of change
increased
Cost and size and
risk of change
reduced

“Freedom and
responsibility”
Reed Hastings 2009

Fail early and often
Instrument everything
Hypothesis driven development
Efficient and autoscaled

Efficiency Gains:
Virtualization consolidates CPUs
Docker consolidates CPU and RAM

With Docker a test environment
should only exist for the few
seconds it takes to run a test

Autoscale production to consume
just the resources you need,
by the second

“Developer Defined
Infrastructure”
Jerry Chen 2015

What can developers do
about the threats?

External Threats
Build using penetration test tools
Manage image supply chain
Hardened immutable services
Service roles and security groups

Internal Threats
Assume employees are compromised
User roles, minimum privilege
Audit logs for everything
Encrypt data at rest

In Production
https://www.docker.com/resources/usecases/ and many more….

Best Practices
https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/

Immutable deployments
Automated penetration testing
Role based identity and access
Trusted container supply chain
Continuous audit

Need for Speed
CPU and IO Intensive workloads
Hadoop, streaming, datastores
Bare metal for efficiency
Well isolated for security

Cutting the Cost
Many similar containers per VM
Saving on RAM, oversubscribe CPU
Deploy with Swarm, Mesos, ECS, GKE
VM based single tenant security

Playing it Safe
One critical container per VM
Extra security for exposed services
Deploy as immutable VM image
Docker adds to VM security

Tooling for Docker
and many more….

Docker in Production
2014 - DIY frameworks
2015 - Hardening and best practices
2016 - Mature production tooling

Thanks !
Continue the discussion on Twitter @adrianco
Adrian Cockcroft
Technology Fellow - Battery Ventures
June 2015
Disclosure: some of the companies mentioned may be Battery Ventures Portfolio Companies
See www.battery.com for a list of portfolio investments

Dockercon 2015 - Faster Cheaper Safer

More Related Content

What's hot

Viewers also liked

Similar to Dockercon 2015 - Faster Cheaper Safer

More from Adrian Cockcroft

Recently uploaded

Dockercon 2015 - Faster Cheaper Safer