How Sudden Policy Changes Put Company Secrets at Risk
Popular among developers, Docker Hub has been used for years to share applications and code libraries. In August 2020, Docker reported its service was used by more than 6.5 million developers and it had accumulated more than 15 PB (15,000 terabytes!) of container images.
Image storage costs, as well as the bandwidth to service them, made Docker Hub’s free-tier business model simply unsustainable. As a result, in November 2020, Docker Hub opted to no longer provide software developers with an unlimited free hosting service; this came with little to no warning.
“The rate limits will be progressively lowered to a final state of 100 container image requests per six hours for anonymous usage, and 200 container image requests per six hours for free Docker accounts,” the company announced.
This forced countless developers to act fast to upgrade their accounts to a Pro level. But what happens if you don’t have a budget to immediately cover this cost? Developers then will experience pull request throttling, and even notice that their lesser-used applications would be deleted starting in 2021.
This significant policy change forces DevOps teams to find fast solutions, such as alternative hosting platforms, to prevent a negative impact on productivity or application performance. Rushing to find a fast solution, technical teams could end up leaking company code and configuration files on alternative platforms, by making a private registry public to pull images from that platform instead of Docker hub. More specifically, this may create risks for organizations:
- When setting up a new application hosting platform, the access rights management are often difficult to understand and master. This makes configuration errors more likely to occur, with the possibility that private configuration files, API tokens, SSH keys, private encryption keys, and private certificates are leaked publicly on the internet.
- When DevOps teams need to move fast, they do not have the luxury of reading all the documentation and to set up tests. The sudden change at Docker Hub forced teams to react in a matter of hours, creating the risk that technical secrets would leak when setting up a new application hosting platform.
On our way to a new normal
As it was probably expected, Amazon came to the rescue, announcing it would soon offer its own public image container, as has GitHub. GitHub Container Registry was introduced in September as a public beta to improve container administration in GitHub Packages, and it is free for public images. While these companies are for now offering interesting alternatives, the growing costs of their free service will likely come under the same stress as that of Docker Hub.
This is why DevOps teams need to plan ahead and have a backup plan if their service provider suddenly changes its policy. Should this plan fail, an effective digital risk protection software can detect this type of technical leakage by monitoring public Docker repositories and popular hosting platforms to alert you in real-time if any information has leaked. The Docker technology has transformed how applications are shared and hosted, and the right tools can ensure that you get the maximum benefit of their power.