The National Institute of Standards and Technology, or NIST, recently issued the draft special publication, "Application...
Container Security Guide." What can DevOps engineers learn from the guide, and what should they know about mitigating the major risks of application containers?
DevOps engineers can learn about securing application containers using a container lifecycle guide from NIST that focuses on major container risks and countermeasures.
An application container lifecycle consists of three phases: creation and accreditation, core components, and deployment and management.
Registries and the orchestrator are the core components of container technologies. The orchestrator distributes the images from registries to the hosts for deployment. It also directs a host when to run and stop the application containers.
There are some risks to the core components, as well as some countermeasures for these risks. For instance, registries performing over insecure channels can cause service disruptions. One mitigation approach is to encrypt the connections to registries.
All unsafe, vulnerable, stale container images must be removed from the registries. New images must be tested for embedded malware. All images from external sources must be tested to see if they are trustworthy.
Another risk to application containers is that mixing container sensitivity levels can expose sensitive data to the public. For example, an orchestrator may place a container running a public-facing web server on the same host as one processing sensitive financial data. Container deployments should be isolated by sensitivity level.
A container runtime behaving maliciously in network traffic is another threat that may expose other container resources in the environment to further risk. One countermeasure is to root out unexpected traffic flows to dangerous destinations.
Not to be overlooked, the container-specific operating systems are not optimized to support multiple users. A user could log on directly to hosts and manage containers rather than going through an orchestration layer. A tool should be used to identify legitimate users logging on to a host directly, and it should assign proper access rights to these users.
While these are only a few risks and fixes, the NIST guide should help DevOps and security administrators meet the challenges with application container security head on.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Learn how DevOps application lifecycle management protects digital keys
Find out everything you need to know to buy the best application lifecycle management tools
Check out NIST's guidance on lightweight cryptography
Dig Deeper on Virtualization security issues and threats
Related Q&A from Judith Myerson
An exploit code for Dirty COW was accidentally shipped by Cisco with product software. Learn how this code ended up in a software release and what ... Continue Reading
Cisco's Webex Meetings platform had to be re-patched after researchers found the first one was failing. Discover what went wrong with the first patch... Continue Reading
The TP-Link EAP Controller for Linux was recently found to be vulnerable to attacks. Learn from Judith Myerson what this means for users and how it ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.