Over the past few years and months, tools such as Docker and Kubernetes enable IT teams to be more agile and nimble, develop applications faster, implement DevOps principles and allow your applications to scale. Individual contributor developers may have convinced you to allow them to download and use Docker CE edition as the base platform to install your next greenfield applications.
These applications typically start off as small scale experiments and proof-of-concepts running on Open Source components in development environments. You may have decided to go with this approach so as to foster and encourage innovation. Well, you are not alone.
Many IT decision makers using Docker in a development environment have found resounding success in their capacity to bring applications to market, aligning with the most recent Forrester New Wave report on Enterprise Containers.
Here’s the downside: organizations that are using Docker CE are now trying to figure out how to scale their Docker environment to meet the security and compliance requirements for enterprise production.
Here are a few items of concern that should be addressed:
Will a production instance of this scale?
How do I adhere to regulatory compliance for access controls?
How can I have security assurance, that we are not installing random bits of code from untrusted public repositories?
Can we demonstrate to internal and external auditors that our code is secure and compliant?
Challenges your organization is facing
If your organization has been successful with Docker, you will have to decide how to comply quickly with the production requirements around support, monitoring, backups, and SLAs while keeping that agility and freedom of choice that your IT teams currently have and love with Docker.
While Docker CE is a great product for the needs of small teams and “one-person projects”, you need to have the assurance that your organization has a reliable and dependable IT solution. A rockstar developer might have done a great job setting up Docker to run a marketing campaign site, but there are 2 key considerations:
Is that solution stable, scalable and secure enough to run more apps and services?
What happens if that developer moves on?
It comes down to establishing priorities. The three most important priorities are:
In this article we’ll look at 3 reasons why Docker EE is a natural upgrade path from CE.
Reason #1 — Freedom of Choice
Docker EE enables you to retain the freedom of choice you currently have with Docker CE. With Kubernetes or Swarm, you can choose to deploy legacy or cloud-native applications, with one of several Linux distributions or Windows Servers, running on-premises or across multiple clouds.
In an interview with CIO.com, Michael Crandell, CEO of RightScale Inc., a cloud infrastructure provider said, “You’ve made a choice to be involved in a certain ecosystem. There are APIs and platforms in the cloud world that create a walled garden. You get the benefits of that garden, but you’re also restricted.”
This is why IT leaders in 8 of 10 organizations are concerned about vendor lock in.
Your teams will also then be able to develop their applications on the platform of their choice: Windows, Mac or Linux. This enables your teams to continue developing with the tools they know best on Docker EE, using all of the IP your teams have already developed.
Reason #2 — Integrated Security
One of the biggest concerns about Docker CE and Docker content in general is the origin of the source code. There is a perception among IT decision makers that Docker represents the Wild West and that development teams are pulling software from overseas public repositories of questionable repute. While it is possible to do this and more than likely, your developers are still using best source code practice with Docker CE, you still need to be assured that your system is protected.
One of the main features of Docker Enterprise is its capacity to create a complete secure supply chain for the entire lifecycle of an application. Docker Content Trust provides image scanning with policy-based image promotions that enable organizations to build governance over the container environment without impeding the speed of development.
The Docker Trusted Registry (DTR) allows organizations to host application images in a secure way. DTR uses digital signatures to sign and verify provenance of images. The automation and security scanning features built into DTR allow your security and compliance teams to define automated CI/CD pipelines to prevent unsafe (or corrupted) images from running in production environments. All of this can be done without interfering with developers’ daily activities. In short, if the content is not approved, it won’t run and you will be notified.
As an added security benefit, the latest release of Docker EE adds Single Sign-On and FIPS 140–2 compliance which is great if your organization follows HIPAA, FISMA and HITECH standards.
Reason #3 — Agile Operations
Your developer teams are more than likely managing authorization and access control to your current Docker CE implementation via the command line. Again, the basic Docker CE IAM controls assume one or a few developers are managing a project. This approach may be too loose and does not comply with any of your ITSM and ITIL best practices around Day 2 operations.
Here are a few considerations:
Who has control over what?
How do I know everyone who has access has the right level of access?
Did we shut down access when a staff member quits?
Other decision makers may have the same concerns and there is some truth to these concerns when Docker CE outgrows an individual contributor’s desktop.
Docker EE includes a complete toolkit with Universal Control Plane (UCP) to help streamline Day 2 operations. UCP provides all of the features IT decision makers need to make sure they are satisfying all the requirements around IAM in a simple and intuitive UI. UCP provides the features you would want in a Day 2 management application: dashboards, IAM visibility, easy backup procedures, integrated monitoring, and visibility to known vulnerabilities at runtime.
Historically, the path from Docker CE to EE has required developers to start from scratch and reinstall everything. In the latest releases of Docker, this is no longer the case. Developers can upgrade a CE installation to EE. This saves time and does not require a long drawn out process to procure new infrastructure. Once upgraded, the new Docker EE environment has all of the enterprise-ready tools installed: they just need to be configured. As a follow up, read our 3 part series on how to upgrade Docker EE and implement the features described in this blog.
We’re Here to Help
Here at Stone Door Group, we love Docker because we get to see firsthand every week how containers transform organizations. We have been fortunate enough to implement hundreds of Docker instances for our clients over the years. Chat with us about our experience, use cases and best-in-class practices we’ve established. Drop us your information and you can speak directly with our consultants who have deep Docker expertise.
No sales presentations or gimmicks, just a 30-minute shop talk with highly-knowledgeable experts who have been down this road.
About the Author
Frank Louwers is a Hybrid Cloud Architect at the Stone Door Group, a Cloud and DevOps consulting company and team lead for their Docker Accelerator℠ solutions. Accelerator solutions take all the guesswork out of the DevOps journey with simple to understand and easy to quantify results. To learn more, drop us an email at firstname.lastname@example.org.