We’re working through some vendor assessments for compliance purposes. Do you have a public page where we could view information about the security practices at Docker? The product in question is Docker Hub, large, community edition.
Questions:
Do you have any certifications such as SOC2, ISO 27001, etc?
Do you have an internal security risk mitigation program?
Do you have an internal information security program/privacy policy/etc.?
Does Docker Hub encrypt data in-flight?
Does Docker Hub encrypt data at-rest?
Does Docker perform backups for Docker Hub on a periodic basis?
Is there any periodic backup restore testing?
I understand that these aren’t questions for the community at large to necessarily answer, but I’m hoping that a representative from the company can chime in.
Docker has many of the things you ask the problem is you have to send them an email to receive some of the documents for example the SOC2 report.
Docker has a public security and privacy page that covers much of what you asked, and it also points to compliance and availability resources for Docker Hub and other products.
What Docker states publicly
Docker says it has:
A documented Information Security Policy and an ISMS made up of multiple sub-policies.
A cross-functional security team covering Information Security, Security Engineering, IT, Data, Operations, and GRC.
A Vulnerability Management Policy, 24/7 monitoring for critical/high-risk events, and annual third-party penetration testing for products including Docker Hub.
A formal SSDLC policy, with security and compliance reviews required for new products and features.
A privacy program with policies and procedures for personal data protection, plus DPA and Whistic access for customers/prospects.
Certifications
Docker publicly states it received SOC 2 Type 2 attestation and ISO 27001 certification with no exceptions or major non-conformities. The security page also says Docker’s compliance documentation covers certifications such as SOC 2 and ISO 27001, and Whistic contains supporting security/compliance documentation.
Encryption
Docker’s security FAQ says all data is encrypted in transit and at rest, using TLS 1.2 or greater and AES-256. The privacy page also says Docker maintains technical and organizational measures to protect customer data.
Backups and restore testing
Docker’s public security page links to an Availability area for BC/DR, backup processes, and uptime information, but the pages I found do not explicitly answer whether Docker Hub backups are performed on a periodic basis or whether restore testing is done. I would treat those two items as not publicly confirmed from the sources I found, and request direct vendor confirmation for your assessment.
Compliance questionnaire draft
For a vendor questionnaire, a safe, source-based phrasing would be:
Certifications: Yes, Docker publicly states SOC 2 Type 2 attestation and ISO 27001 certification.
Internal security risk mitigation program: Yes, Docker describes a formal security organization, vulnerability management policy, risk-based control testing, vendor risk reviews, and 24/7 monitoring.
Internal information security/privacy program: Yes, Docker publicly states it has a documented Information Security Policy and a privacy program with documented policies and procedures.
Encryption in transit: Yes, Docker states all data is encrypted in transit.
Encryption at rest: Yes, Docker states all data is encrypted at rest.
Periodic backups: Not confirmed in the public sources reviewed.
Backup restore testing: Not confirmed in the public sources reviewed.