The National Institute of Standards and Technology, or NIST, recently issued the draft special publication, "Application...
Container Security Guide." What can DevOps engineers learn from the guide, and what should they know about mitigating the major risks of application containers?
DevOps engineers can learn about securing application containers using a container lifecycle guide from NIST that focuses on major container risks and countermeasures.
An application container lifecycle consists of three phases: creation and accreditation, core components, and deployment and management.
Registries and the orchestrator are the core components of container technologies. The orchestrator distributes the images from registries to the hosts for deployment. It also directs a host when to run and stop the application containers.
There are some risks to the core components, as well as some countermeasures for these risks. For instance, registries performing over insecure channels can cause service disruptions. One mitigation approach is to encrypt the connections to registries.
All unsafe, vulnerable, stale container images must be removed from the registries. New images must be tested for embedded malware. All images from external sources must be tested to see if they are trustworthy.
Another risk to application containers is that mixing container sensitivity levels can expose sensitive data to the public. For example, an orchestrator may place a container running a public-facing web server on the same host as one processing sensitive financial data. Container deployments should be isolated by sensitivity level.
A container runtime behaving maliciously in network traffic is another threat that may expose other container resources in the environment to further risk. One countermeasure is to root out unexpected traffic flows to dangerous destinations.
Not to be overlooked, the container-specific operating systems are not optimized to support multiple users. A user could log on directly to hosts and manage containers rather than going through an orchestration layer. A tool should be used to identify legitimate users logging on to a host directly, and it should assign proper access rights to these users.
While these are only a few risks and fixes, the NIST guide should help DevOps and security administrators meet the challenges with application container security head on.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Learn how DevOps application lifecycle management protects digital keys
Find out everything you need to know to buy the best application lifecycle management tools
Check out NIST's guidance on lightweight cryptography
Dig Deeper on Virtualization security issues and threats
Related Q&A from Judith Myerson
The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading
Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading