|
| 1 | +--- |
| 2 | +title: Secure Supply Chain for the Containers |
| 3 | +description: Understanding the Secure Supply Chain phases for the Containers. |
| 4 | +author: tejaswikolli-web |
| 5 | +ms.author: tejaswikolli |
| 6 | +ms.topic: overview |
| 7 | +ms.date: 09/2/2022 |
| 8 | +ms.custom: template-overview |
| 9 | +--- |
| 10 | + |
| 11 | +# The Secure Supply Chain Management for the Containers |
| 12 | + |
| 13 | +The Microsoft Supply Chain is a seamless, agile ecosystem to provide a secure life cycle process and an isolated environment for the containers. Learn more about [how-containers-work][how-containers-work]. |
| 14 | + |
| 15 | +## Container Secure Supply Chain phases |
| 16 | + |
| 17 | +The Containers Secure Supply Chain has many tools and services in place, as well as a visible end to end process of securing the containers at each phase and delivering the immutable container infrastructure. |
| 18 | + |
| 19 | +The Container Secure Supply Chain phases are as follows: |
| 20 | + |
| 21 | +1. Acquire |
| 22 | +1. Host |
| 23 | +1. Build |
| 24 | +1. Deploy |
| 25 | +1. Run |
| 26 | + |
| 27 | +## Acquire |
| 28 | + |
| 29 | +The early phase of the Container Secure Supply Chain is Acquire. In this phase we acquire container images from multiple trusted sources. The container images come from the Public, Private, and non-Azure Sources. For example, Docker Hub, Same or a Different Azure subscription or tenant, Microsoft Container Registry, etc. |
| 30 | + |
| 31 | +Microsoft Security objective is as follows: |
| 32 | + |
| 33 | +>* Verify the source of the container image is trustworthy. |
| 34 | +>* Verify the providence of the container image. |
| 35 | +>* Verify the validity and access controls on the container image. |
| 36 | +
|
| 37 | +Acquiring container images from multiple sources means acquiring container images with different sizes, client environments, and architectures. Microsoft Secure Supply chain has services and components in place to set controls and verify the source of each and every container image import. |
| 38 | + |
| 39 | +Once the images verify as trustworthy the gateway will allow them to the Host phase of the Secure Supply Chain to host the container images coming from trusted sources. |
| 40 | + |
| 41 | +## Host |
| 42 | + |
| 43 | +Container images may come from trusted sources but they still carry the risk of vulnerabilities and malware attached to them. The next phase of the secure supply chain hosts the trusted container images before approving them for the internal use. |
| 44 | + |
| 45 | +Microsoft Security objective is as follows: |
| 46 | + |
| 47 | +>* Verify the trusted container images is free of Malware. |
| 48 | +>* Verify the vulnerability scans of the trusted container images. |
| 49 | +>* Verify the meta-data of the trusted container images is enriching and allows the policy decisions. |
| 50 | +
|
| 51 | +Hosting the trusted container images determines the condition and evaluates the capability of the trusted container image. Once the quality assurance is complete on the base container image, the verified and trusted container images are ready for the internal use. |
| 52 | + |
| 53 | +The gateway will only build the trusted and verified container images. |
| 54 | + |
| 55 | +## Build |
| 56 | + |
| 57 | +Once the trusted and verified container image is ready for the internal use, we direct these images to the Build phase of the Secure Supply Chain. During the Build phase, we re-architect the base container image by adding dependencies, libraries, or additional framework patches creating a resulting containers. |
| 58 | + |
| 59 | +Microsoft Security objective is as follows: |
| 60 | + |
| 61 | +>* Verify the base container images are compliant to the Organizational policy and standards. |
| 62 | +>* Verify the base container images are compliant to the Application policy and standards. |
| 63 | +>* Verify the vulnerability posture of the trusted and verified base container images. |
| 64 | +
|
| 65 | +The build integrates the trusted and verified base container image with the added packages. The resulting container and its reference artifact must be complaint with both Application and Organizational security policies. |
| 66 | + |
| 67 | +The gateway will only Deploy the container and its reference artifact that are secure, and compliant with Application and Organizational policies. |
| 68 | + |
| 69 | +## Deploy |
| 70 | + |
| 71 | +The container and reference artifacts gets ready for the next phase of Secure Supply Chain, which is Deploy. The Secure Supply Chain continuously monitors the containers and its reference artifacts for reliability and performance. The goal here's to ensure every container image and its reference artifacts are compliant to the enterprise security policies. |
| 72 | + |
| 73 | +Microsoft Security objective is as follows: |
| 74 | + |
| 75 | +>* Verify the containers and the reference artifacts are secured, verified, and compliant. |
| 76 | +>* Verify the containers and the reference artifacts are active, valid, and ready to use. |
| 77 | +>* Verify the continuos monitoring and event tracking for the containers and the reference artifacts is enabled. |
| 78 | +
|
| 79 | + |
| 80 | +Each and every container and its reference artifacts are continuously monitored for avoiding any insecure and non-verified images. The Secure Supply Chain has services to ensure each container are active, usable. Only the verified and secured containers and its reference artifacts are ready for the deployment. |
| 81 | + |
| 82 | +The gateway will only Run the container and its reference artifact that are secure, active, valid, and compliant with Application and Organizational policies. |
| 83 | + |
| 84 | +## Run |
| 85 | + |
| 86 | +Once deployed the containers and reference artifacts are in the last phase of Secure Supply Chain, which is Run. During the phase, the containers and reference artifacts are continuously monitored through logs. The goal here's to remove any containers that are invalid and not compliant with the security policies. |
| 87 | + |
| 88 | +Microsoft Security objective is as follows: |
| 89 | + |
| 90 | +>* Verify and remove the insecure containers and the reference artifacts. |
| 91 | +>* Verify the continuos scanning for vulnerability and validity is enabled. |
| 92 | +>* Verify the security policy controls on the containers and the reference artifacts. |
| 93 | +>* Verify the logs for the containers and the reference artifacts. |
| 94 | +>* Verify the access controls while distributing. |
| 95 | +
|
| 96 | +These immutable containers and its reference artifacts are continuously monitored to ensure they're free from vulnerability, malware and actively usable. The supply chain further ensures to place controls on who can access these containers and its reference artifacts. |
| 97 | + |
| 98 | +The gateway will only allow distributing the container and its reference artifact with a valid access. |
| 99 | + |
| 100 | +<!-- LINKS - Internal --> |
| 101 | +[how-containers-work]: https://learn.microsoft.com/virtualization/windowscontainers/about/#how-containers-work |
0 commit comments