SQL Server Containers and Security
SQL Server Containers and Security
More and more enterprises are relying on SQL Server containers and Windocks for security purposes. Click here to learn more!
Join the DZone community and get the full member experience.Join For Free
Windocks publicly launched over two years ago as an independent port of Docker’s open source project to Windows. Since that time, Windocks has evolved into an enterprise data delivery platform, supporting storage arrays or Windows-based database clones with delivery to Docker SQL Server containers, SQL Server instances, and Kubernetes. This article provides an introduction to Windocks security that is relied on by financial service providers and other enterprises.
Windocks runs on Windows Server 2012 R2 or 2016 and Windows 8.1 and 10 Pro and Enterprise editions. It supports containers for all editions of SQL Server 2008 onward and for data delivery to Microsoft container hosts, instances, and Kubernetes over the LAN.
The Windocks system architecture includes:
Management Server provides a web UI for users to access data images and data delivery.
Data delivery engine processes Docker commands, Dockerfiles, and interactions with the management server. The engine also manages the creation of VHD and storage array clones, as well as the delivery to SQL Server targets defined in Dockerfiles and images.
Data store includes Virtual Hard Drives and storage array clones.
Image store includes the Windocks base and custom images. Base images are available following installation, and they include .NET 3.5 with IIS, SQL Server, and a Windows image used with open source projects. SQL Server base images use designated local SQL Server instances that are cloned to deliver containers. Custom SQL Server images combine VHD or Storage Array clones with runtime parameters needed for target environments.
Shared data environments are network file shares created for delivery to SQL Server targets on the LAN, including Microsoft container servers, SQL Server instances, and Kubernetes clusters.
Data environments are a list of local SQL Server containers and environments delivered to local and network instances and container hosts.
Local SQL Server instances are included for completeness, as local instances are valid targets for data delivery.
Windocks Container Architecture
Windocks supports standard Docker commands and client software, with Dockerfile extensions for database cloning and data delivery. Windocks containers run on a shared operating system rather than a shared kernel, and delivers a number of benefits:
Active directory and enterprise infrastructure: Windocks is an easy addition to existing servers and infrastructure, using Active Directory and supporting Windows authentication that supports host-based applications (VSS and SQL writer) and the use of network resources.
Maintainability: Windows can be updated without requiring images and containers to be rebuilt. Likewise, SQL Server updates applied to the parent instance are inherited by new containers.
Scalability: Windocks containers are lightweight, and offer 50 to 100 percent less overhead per container, as the container does not include any operating system footprint.
Economy: Windocks containers are delivered as named instances, created by cloning a host installed SQL Server instance. As a result, Windocks SQL Server containers require no additional licensing and are free under existing Microsoft SQL Server licenses as cloned named instances.
Windocks is a unique implementation of Docker’s source that combines the benefits of Docker with Windows and SQL Server security.
Images are based on redistributable software to support .NET with IIS and local SQL Server instances that are cloned for SQL Server containers. This approach avoids security concerns associated with shared image repositories, as each server hosts a complete set of images. Images are fully portable and run without change on any Windocks host, using any on-premise infrastructure or public cloud.
SQL Server containers are created by cloning local SQL Server instances and inherit parent instance SQL logins, encryption keys and certificates, and other attributes. SQL Server scripting enables integration with third-party encryption key managers, storage arrays, and other infrastructure. Windocks provides configurable support for SQL Server container as credentials, including options for SQL as logins in plain text, encrypted, or for none to be created.
Windows authentication and active directory support are maintained through SQL Server containers that are simply named instances created and managed by the Windocks engine. Each container includes a container-specific user account, supporting local or network resources, and active directory and Windows authentication. Each container is a SQL Server named instance, installed with Windows Registry keys, with an added user and process isolation. This approach offers simplicity and fine-grained control over data operations and supports all editions of SQL Server 2008 onward.
Use existing infrastructure and licenses — custom SQL Server images deliver data environments based on storage array clones or virtual hard drives and are created with Dockerfiles that define both data source and target environments, adding control over where data is accessed. Dockerfiles include user and group permissions, with encrypted credentials for work with storage arrays. Encrypted passwords can be used for all credentials referenced in Dockerfiles.
Secure data images: Docker images that are immutable and auditable enhance data governance and security by curtailing the ad-hoc copy and restoring backups.
Reduced attack surface is achieved through isolated containers running on a shared server. Organizations average 15 containers per server, with lower license costs and reduced VM maintenance.
Secure delivery to Microsoft SQL Server containers and instances is another aspect of how Windocks is valuable. As more organizations explore the use of Docker SQL Server containers, Windocks provides a proven secure data delivery for all Microsoft SQL Server targets, including SQL Server 2017 on Linux containers.
Modern, Open SQL Server Data Delivery
Windocks is a unique solution that supports the secure delivery of Windows hosted SQL Server containers, creation and management of database clones, and delivery of data environments to all SQL Server targets. Windocks provides these capabilities with secure services relied on by financial service providers and other enterprises globally.
Published at DZone with permission of Ramesh Parameswaran , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.