Whenever agencies like the National Institute of Standards and Technology, or NIST, publish new recommendations and guidelines, it's worth taking note. In a world where software comes in novel forms and fulfills diverse applications, relying on these industry standards can provide computer systems users and government contractors with effective game plans for making the most of their tools.
NIST's September 2017 Special Publication 800-190, or Application Container Security Guide, is no less worthy of attention than other special publications. Here's what it entails.
What Is an Application Container?
Containerization is a virtualization practice that takes place at an operating-system level. Many operating systems let users run virtual machines, partitions or other instances, known as containers, which include both a target application and the OS needed to run it.
To a user examining a container from the outside, it's like looking at one OS running inside of another. To a program that runs inside of the container, the internal virtualized operating system acts like a completely independent computer.
Why Use Containers?
Containerization strategies provide their users with many advantages. For instance, a software developer might use containers to package applications and distribute them in stable forms that have a higher likelihood of running as expected. Containerization is an effective means of running software in sandboxed environments that limit its access to system resources.
Containers also facilitate software testing on different platforms and OSes without requiring individual machines for each target environment. Since entire virtualized operating systems can be distributed as files, commonly known as images, they're highly portable and shareable.
Potential Container Concerns: Understanding the Security Implications
Containerization isn't perfect. Here are some of the risks that you might face at various stages of the process.
An image containing an OS and application is a snapshot in time. A user who runs it later may be exposing themselves to vulnerabilities that weren't known at the time of the image's creation. Images produced from badly configured OSes pose similar hazards, and those obtained from untrusted sources may house malware or spyware.
Registries that store and distribute images, such as commercial and self-hosted download services, must be managed with care. If they contain old images, they may expose users to significant risks. As with other remote transactions, downloads from registries are also in danger of attacks like man-in-the-middle hacks, and some may disclose sensitive organizational data to bad actors.
Dangers for Orchestrators
Orchestrators, or the administrators who run containerized applications on their servers, may allow their app users to compromise other containers by forgetting to limit individual containers' access rights. They might also become overly reliant on authentication directory tools that place servers at risk by managing old accounts improperly.
Many containers depend on virtualized overlay networks that tend to obfuscate their traffic via encryption, which could make it harder for external security tools to oversee what's going on. Ill-advised configurations might also place orchestrators at risk of unauthorized hosts gaining access to containers. This becomes even more dangerous when containers that are publicly accessible run on the same hosts as those containing sensitive private data.
Container and Host Hazards
Some containers expose servers to vulnerabilities contained in their software. Since most runtimes permit container-to-container access, malicious actors or rogue containers can use one virtualized environment to corrupt another.
The host OSes that run containers also need to be secure. Their many potential vulnerabilities might place multiple containers at risk via
- Vulnerable system components,
- File system tampering,
- Poorly managed user access rights, or
- Shared OS kernels.
Smart Strategies for Safe Application Container Usage
NIST recommends a variety of practices to help combat the vulnerabilities associated with containers, such as
- Enforcing compliance with secure image configuration and lifecycle management practices,
- Maintenance of trusted image standards and credentials,
- Rigorous oversight of registry connections, contents, and accounts,
- Stringent orchestrator access control, inter-container communication, workload sensitivity management and node trust practices,
- Container runtime vulnerability monitoring, network access limitation, app vulnerability monitoring and management, and runtime access controls,
- Environmental segregation of activities like development, testing, and production, and
- Hardware-based host cybersecurity measures, OS access controls, limited per-container file system permissions and containerized workload isolation.
Complying With Special Publication 800-190
Containerization has many unique enterprise advantages, but you must be on your guard against the dangers. Such vigilance demands extensive oversight, however. Does your organization have the time, resources and operational expertise to institute better practices?
Working with a data specialist may be the easiest way to get compliant as efficiently as possible.