Docker breach flash update: secrets management best practices & resources for containers
Last Thursday, many developers received an e-mail that Docker, a provider of a widely-used container platform, discovered a hack affecting over 190,000 accounts.
There’s never a good time for a data breach, but for Docker, this hack falls squarely in the lead-up to DockerCon, the company’s annual conference that kicks off today at the Moscone Center in San Francisco. As a result, data security is certain to be on the minds of attendees.
Hacks of this nature can affect even the most sophisticated organizations, and they are a vivid reminder that as developers handle more keys and secrets than ever before, especially in multi-cloud environments, a reliable system to manage and defend those assets is essential.
The CryptoMove Tholos key vault is an innovative way to protect data at rest and to limit exposure of secrets and authentication keys when third-party services are compromised. Last week’s hack demonstrates how CryptoMove is an important part of the Docker ecosystem that securely manages secrets for containers.
Docker Hub Hack: What Happened?
Though exact details are still sparse, Docker notified affected users — roughly 5% of their user base — that one database of its cloud-based Docker Hub repository had been breached. Exposed data included “usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds.”
The full impact of the breach is still unknown, but the potential impacts are worrisome and include the injection of malicious code into autobuilt tools and compromised access to private repos and resources.
What Protective Steps Should You Take?
For immediate damage control, affected users should change their credentials, inspect for deeper breaches within and reconnect to private repositories, and link and unlink to GitHub and Bitbucket source providers. These actions are particularly important for users with autobuilds that may have been impacted.
Twistlock’s CTO reviews their recommendations and thoughts in a helpful post on their blog
Docker pledged to review its security protocols, but developers can use this as an opportunity to take a proactive approach to managing keys and secrets. After all, this isn’t the first high profile leak, and code repositories are plagued by accidental leaks as well.
CryptoMove’s Tholos key vault offers an active defense against both malicious and inadvertent leaks. It allows developers to use throwaway tokens in repos while guarding the actual authentication keys inside the vault. CryptoMove’s patented technology keeps all the data inside the vault fragmented and morphing to thwart attackers.
For the long term, it’s helpful to have a good sense of where secrets may be in your environment. Just this last week, Nick Shook led a helpful webinar going through some open source tools on how to scan for and find secrets.
What‘s On Tap at DockerCon?
In light of this hack, security is certain to be an important theme at DockerCon, and we’re excited to be part of the conversation. CryptoMove is a sponsor of the conference, and we’ll be at our booth Monday 6pm and all day Tuesday and Wednesday. Stop by to meet our team and see a demo of how the Tholos key vault can put you ahead of the curve and protected against future hacks.
