Apr 05, 2018
Amr Abdelrazik
D2iQ
3 min read
Traditional security mechanisms such as access control, authentication, authorization, auditing, and compliance are the foundation of any enterprise solution, especially in heavily regulated industries such as retail, financial services, and healthcare. Security regulations such as PCI DSS, Sarbanes-Oxley, or HIPAA require applications and services to be isolated by default. Authentication and authorization mechanisms should be implemented to allow only the right users or groups to access these applications and services with role-based privileges.
As organizations start to introduce modern technologies such as containers, microservices and real-time data services, configuring fundamental security mechanisms becomes very complex. Many of the modern open source based technologies either do not have the traditional security primitives or have too many configuration options that are complex to configure and error prone. Enterprises need to integrate with existing investments in AAA or duplicate the AAA mechanism across multiple authentication and authorization system resulting increased admin overhead and risk reduced security posture due to configuration drift.
Mesosphere DC/OS provides many capabilities that simplify authentication, authorization and access control for the enterprise to enable enterprises to adopt modern technologies without sacrificing security and compliance.
This short demo shows how DC/OS enforces role-based access controls to regulate developer access to applications.
Authentication, authorization and access control capabilities in DC/OS include:
User Authentication
Simplify user and group management with centralized authentication locally or by integrating with existing directory services such as Active Directory and LDAP.
Single Sign-On (SSO) implemented with SAML 2.0/OpenID Connect for simplified integration with identity providers. Standards-based implementation for SSO streamlines management and helps enforce policy for internal and 3rd party contractor and partner access. Organizations can easily integrate with existing systems from any of the public providers such as Google, Microsoft, or Github, or any private provider (requires DC/OS Enterprise) such as Okta or OneLogin.
Fine Grained Authorization and Access Control
Prevent unauthorized access to datacenter services through container and service level isolation and controls, allowing only users and groups with the right permissions and roles to access their associated workloads (requires DC/OS Enterprise).
Extensible Identity and Access Management Service
In addition to out-of-the-box identity and access management (IAM) service, DC/OS IAM APIs allows organizations to integrate with existing access control systems and devops lifecycle (requires DC/OS Enterprise).
Security Audit Trail
Track authorized and unauthorized user activity by auditing successful and unsuccessful user logins and actions for compliance (requires DC/OS Enterprise).
Access Control on Secrets Management
Applications often require credentials such as database user name, password and private key files to interoperate. Securely storing and providing those credentials at runtime is critical in a dynamic, container-based infrastructure. Like other objects in the system, secrets are governed by the overall authorization framework that regulates user and group access to secure applications and data services (requires DC/OS Enterprise).
Simplified Integration of Data Services to Existing Security Systems
DC/OS helps you easily integrate data services security controls with existing security controls (requires DC/OS Enterprise). For more information, please see DC/OS 1.11 Enhances Container and Data Services Security.
With Mesosphere DC/OS, organizations can confidently implement AAA mechanisms, maintain compliance, and integrate with existing security tools.
