SQL Server Containers and Security

Windocks launched publicly over two years ago as an independent port of Docker’s open source project to Windows. Since that time Windocks has evolved into an enterprise data delivery platform, supporting storage arrays or Windows based database clones with delivery to Docker SQL Server containers, SQL Server instances, and Kubernetes. This article provides an introduction to Windocks security that is relied on by Financial Service Providers and other enterprises.

Architecture

Windocks runs on Windows Server 2012 R2 or 2016, and Windows 8.1 and 10 Pro and Enterprise editions, and supports containers for all editions of SQL Server 2008 onward, and for data delivery to Microsoft container hosts, instances, and Kubernetes over the LAN.

The Windocks system architecture includes:

Management Server provides a web UI for user access to data images and data delivery.

Data Delivery engine processes Docker commands and Dockerfiles, and interaction with the Management Server. The engine also manages creation of VHD and storage array clones, and delivery to SQL Server targets defined in Dockerfiles and images.

Data Store includes Virtual Hard Drives and storage array clones.

Image Store includes Windocks base and custom images. Base images are available following installation and include .NET 3.5 with IIS, SQL Server, and a Windows image used with open source projects. SQL Server base images use designated local SQL Server instances that are cloned to deliver containers. Custom SQL Server images combine VHD or Storage Array clones with run time parameters needed for target environments.

Shared Data Environments are network file shares created for delivery to SQL Server targets on the LAN, including Microsoft container servers, SQL Server instances, and Kubernetes clusters.

Data Environments is a list of local SQL Server containers, and environments delivered to local and network instances and container hosts.

Local SQL Server instances are included for completeness, as local instances are valid targets for data delivery.

Windocks container architecture

Windocks supports standard Docker commands and client software, with Dockerfile extensions for database cloning and data delivery. Windocks containers run on a shared operating system rather than a shared kernel, and delivers a number of benefits:

Active Directory and enterprise infrastructure: Windocks is an easy addition to existing servers and infrastructure, using Active Directory and supporting Windows authentication, and supports host based applications (VSS and SQL writer), and use of network resources.

Maintainability: Windows can be updated without requiring images and containers to be rebuilt. Likewise, SQL Server updates applied to the parent instance are inherited by new containers.

Scalability: Windocks containers are lightweight, and offer 50 to 100% less overhead per container, as the container does not include any operating system footprint.

Economy: Windocks containers are delivered as named instances, created by cloning a host installed SQL Server instance. As a result, Windocks SQL Server containers require no additional licensing and are free under existing Microsoft SQL Server licenses as cloned named instances.

Windocks Security

Windocks is a unique implementation of Docker’s source that combines the benefits of Docker with Windows and SQL Server security.

Images are based on redistributable software to support .NET with IIS, and local SQL Server instances that are cloned for SQL Server containers. This approach avoids security concerns associated with shared image repositories, as each server hosts a complete set of images. Images are fully portable and run without change on any Windocks host, using any on premise infrastructure or public cloud.

SQL Server containers are created by cloning local SQL Server instances, and inherit parent instance SQL logins, encryption keys and certificates, and other attributes. SQL Server scripting enables integration with third party Encryption Key Managers, storage arrays, and other infrastructure. Windocks provides configurable support for SQL Server container sa credentials, including options for SQL sa logins in plain text, encrypted, or for none to be created.

Windows authentication and Active Directory support is maintained as SQL Server containers are simply named instances created and managed by the Windocks engine. Each container includes a container-specific user account, supporting local or network resources, and Active Directory and Windows authentication. Each container is a SQL Server named instance, installed with Windows Registry keys, with added user and process isolation. This approach offers simplicity and fine grained control over data operations, and supports all editions of SQL Server 2008 onward.

Use existing infrastructure and licenses. Custom SQL Server images deliver data environments based on storage array clones, or Virtual Hard Drives, and are created with Dockerfiles that define both data source and target environments, adding control over where data is accessed. Dockerfiles include user and group permissions, with encrypted credentials for work with storage arrays. Encrypted passwords can be used for all credentials referenced in Dockerfiles.

Secure data images: Docker images that are immutable and auditable, and enhance data governance and security by curtailing ad hoc copy and restores of backups.

Reduced attack surface is achieved through isolated containers running on a shared server. Organizations average 15 containers per server, with lower license costs and reduced VM maintenance.

Secure delivery to Microsoft SQL Server containers and instances, is another aspect of how Windocks value. As more organizations explore the use of Docker SQL Server containers, Windocks provides a proven secure data delivery for all Microsoft SQL Server targets, including SQL Server 2017 on Linux containers.

Modern, open SQL Server data delivery

Windocks is a unique solution that supports secure delivery of Windows hosted SQL Server containers, creation and management of database clones, and delivery of data environments to all SQL Server targets. Windocks provides these capabilities with secure services relied on by Financial Service Providers and other enterprises globally.

This article covers a brief introduction to Windocks security, and more in-depth information is available on request at support@windocks.com. You can start exploring these diverse capabilities today by downloading a free Windocks Community Edition here.