US National Institute of Standards and Technology releases draft Application Container Security Guide
July 15, 2017 |
The National Institute of Standards and Technology (“NIST”) has released a draft of is Application Container Security Guide. While the NIST is an American agency its guides have universal use as they are essentially technical and cover systems that are ubiquitous. They are also useful because there is no real equivalent in Australia and while the Privacy Commissioner puts out guides they are both general in scope and drafted so vaguely as to be of little practical use in implementing standards.
Operating system (OS) virtualization keeps each application isolated from all others on the server. This is very interesting development. A container specific host OS provides less options for attack than a general -purpose host OS. The NIST paper explains the security concerns associated with container technologies and provides practical recommendations for addressing those concerns
The Guide runs to 62 very technical pages but it is worth reading if your interest in data security rises above the very general. The general recommendations of the Guide are:
-
Tailor the organization’s processes to support the new way of developing, running, and supporting applications made possible by containers;
-
Use container- specific host OSs instead of general -purpose ones to reduce attack surfaces
-
Only run containers with the same purpose, sensitivity, and threat posture on a single host OS kernel for additional defense in depth.
-
Adopt container-specific vulnerability management tools and processes for images to prevent compromises.
-
Consider using hardware -based countermeasures to provide a basis for trusted computing.
[…] US National Institute of Standards and Technology releases draft Application Container Security Guid… […]