One of the cool things about working in this dynamic space of containers and cloud native apps is the ability to really shape the future. I’ve always thought that you make that impact through three main ways: the product you build, how it helps customers achieve their goals, and what you contribute to the community. We’ve been proud to contribute many security capabilities to Docker and OpenShift in the open source and have more on the way. Beyond the code, though, we’ve also been actively contributing to the body of knowledge around best practices for container security. The NIST SP Container Security Guide draft is the latest example of how Twistlock contributes to shaping best practices for organizations using containers.
We had the honor to help lead the development of the new NIST Special Publication, SP-800-190, the Container Security Guide. During my time at Microsoft, we always greatly valued the insights and partnerships with the NIST team in developing security standards that literally helped protect hundreds of millions of PCs and servers around the world. So, it’s been a real privilege to help lead similar work to protect what will one day probably be billions of containers.
NIST 800 series Special Publications are often seen as the gold standard for understanding the threats and countermeasures for protecting critical software infrastructure. As NIST themselves modestly puts it:
“NIST uses three NIST Special Publication subseries to publish computer/cyber/information security and guidelines, recommendations and reference materials:
SP 800, Computer Security (December 1990-present)
NIST’s primary mode of publishing computer/cyber/information security guidelines, recommendations and reference materials”
Special publications exist for server operating systems, hypervisors, and cloud services, and are developed once a technology has strong market traction. So, I also see the existence of the SP as a great validation of containers as a first tier enterprise technology.
The Container Security Guide takes the same, consistent threat modeling approach in SP 800-154 and applies it to the entire cloud native ‘stack’ from hypervisor, to container runtime, to orchestrator, and across the whole app lifecycle from the beginning of the CI process to production. The guide is designed to provide a diverse set of readers, from engineers to CISOs, with a clear understanding of the threat model and recommended defenses for a cloud native environment.
We announced the availability of the SP and our role its development at DockerCon, and during the comment period we received comments and contributions from many government agencies and industry leaders including Microsoft, Red Hat, and Docker. Over the coming weeks, we’ll be working to incorporate these contributions and publish the final version of the SP. In the meantime, please check it out and let us know if you have questions about how Twistlock can help you follow its security recommendations.
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
Securing Istio with Twistlock
This article is about Istio, a new service mesh management platform th...
Twistlock Releases Serverless Runtime Defense
A few months ago, we wrote a piece on “The Continuum of Cloud Native...
Why DevSecOps is No Longer Optional
DevSecOps has been a hot topic within tech conversations for a few yea...
Better Together: Announcing The Twistlock Advantage Program
It’s been about three years since we exited stealth with the first g...
My Security Toolset Today Vs 10 Years Ago
It can be easy to forget how sophisticated IT security tools are today...