Concepts
SQL Server Containers and Security
Docker continues to grow in popularity across the industry, but raises numerous questions regarding security involved in public image repositories....
It's become popular to refer to system security in terms of isolation. Whether you think of data and container security in classical terms, or isolation, this article reviews Windocks provisions for secure sourcing, delivery, and use of data.
Windocks 3.0 adds support for sourcing data from external storage arrays, alongside of Windows based database clones, with delivery to Microsoft SQL Server containers, Windocks containers, and instances.
Windocks is a Docker based design (a port of Docker’s open source to Windows), combined with significant capabilities for SAN integration, and data delivery to varied target environments. Security is a top priority, and Windocks 3.0 sports a complete set of capabilities to secure Dockerfiles, containers, data, and user access.
Windocks architecture
Windocks runs as a Windows service and clones locally installed SQL Server instances to create Docker compatible containers. Windocks also supports integration with external storage arrays to create volume clones (or snapshots) that are mounted to SQL Server instances (local or network, containers and conventional instances). SQL Server backups are also used to build clonable Virtual Hard Drives, which support delivery of clones. Standard Docker client software and Dockerfiles support these operations.
As an enterprise data delivery solution Windocks is growing in popularity due to a number of advantages. Windocks supports the full Windows product family, with all editions of SQL Server 2008 onward, with Windows authentication, and many other advantages. Please read this article for background.
Windocks provides complete, auditable, and secure life-cycle management of data, containers, and their associated users. Windocks dramatically improves the security profile over current practices involving the development and maintenance of PowerShell scripts.
Containers: SQL Server containers offer resource efficiency and security with multiple containers running on a shared Operating System. This dramatically reduces the attack surface compared to individual VMs, and most organizations realize a 3-5x reduction in VM usage.
In addition to VM consolidation and reduced attack surface, Windocks delivers secure SQL Server images by cloning locally installed and licensed SQL Server instances. Other Docker designs involving pulling images from public repositories, requiring constant image security and code reviews for safety. Configuration support for data masking, user/group permissions, encryption, and other security policies are applied during the image build, ensuring data images comply with the enterprise data policies.
Secure Credential use: Dockerfiles are plain text configuration files that define images, and often require sensitive credentials for cloning operations on storage arrays, and use of EKM systems. Windocks supports Windows Data Protection API (DPAPI) based encryption of credentials, allowing Dockerfiles to be saved and reused securely.
User Authentication: Windocks SQL Server container sa credentials are configurable, with support for delivery of sa credentials in plain text, encrypted, or for none to be generated. All SQL Server container users are authenticated with either Windows authentication or SQL sa logins. SQL Server containers inherit SQL logins configured from the parent SQL Server instance used for container creation, providing a built-in method for managing users and groups.
Windocks delivery of data environments to targeted SQL Server instances (either local on the Windocks host or on the network), is provided to authorized domain user accounts, which can be configured at the Windocks system (\Windocks\config\node.conf), or implemented for each image in the Dockerfile.
Secure network use: Windocks supports standard Docker private certificate SSL support with Docker TLS. This encrypts the network traffic and protects credentials over the wire.
Secure use of SQL Server 2017 Linux containers
Microsoft’s support for secure use of SQL Server containers is still developing, and while the Linux host can be joined to a Windows domain the SQL Server containers do not currently support AD user authentication. Windocks allows users to generate containers with assigned port and SQL sa credentials.
Recommendations
1) Control user access to images with user permissions in the Dockerfiles and images, and minimize system wide network sharing through the Windocks configuration.
2) We recommend containers over instances when practical for dev/test and reporting, for security and resource utilization benefits.
3) Provide separate servers to different functional teams (Dev, Test, etc.) to further enhance security.
Conclusions
Windocks offers a unique container-oriented data delivery solution, with provisions for secure enterprise use for dev/test, reporting and BI. For further reading on Windocks credential encryption, and user authentication, refer to the various articles that detail support and setup for SQL Server Containers, instances, or Microsoft’s SQL Server Linux containers.
Explore these capabilities today by downloading the free Windocks Community Edition.