One of the cool things about working in this dynamic space of containers and cloud native apps is the ability to really shape the future.  I’ve always thought that you make that impact through three main ways: the product you build, how it helps customers achieve their goals, and what you contribute to the community.  We’ve been proud to contribute many security capabilities to Docker and OpenShift in the open source and have more on the way.  Beyond the code, though, we’ve also been actively contributing to the body of knowledge around best practices for container security.  The NIST SP Container Security Guide draft is the latest example of how Twistlock contributes to shaping best practices for organizations using containers.

NIST Guide to Container Security

We had the honor to help lead the development of the new NIST Special Publication, SP-800-190, the Container Security Guide. During my time at Microsoft, we always greatly valued the insights and partnerships with the NIST team in developing security standards that literally helped protect hundreds of millions of PCs and servers around the world.  So, it’s been a real privilege to help lead similar work to protect what will one day probably be billions of containers.  

NIST 800 series Special Publications are often seen as the gold standard for understanding the threats and countermeasures for protecting critical software infrastructure.  As NIST themselves modestly puts it:

“NIST uses three NIST Special Publication subseries to publish computer/cyber/information security and guidelines, recommendations and reference materials:

SP 800, Computer Security (December 1990-present)

NIST’s primary mode of publishing computer/cyber/information security guidelines, recommendations and reference materials”

Special publications exist for server operating systems, hypervisors, and cloud services, and are developed once a technology has strong market traction.  So, I also see the existence of the SP as a great validation of containers as a first tier enterprise technology.

The Container Security Guide takes the same, consistent threat modeling approach in SP 800-154 and applies it to the entire cloud native ‘stack’ from hypervisor, to container runtime, to orchestrator, and across the whole app lifecycle from the beginning of the CI process to production.  The guide is designed to provide a diverse set of readers, from engineers to CISOs, with a clear understanding of the threat model and recommended defenses for a cloud native environment.

We announced the availability of the SP and our role its development at DockerCon, and during the comment period we received comments and contributions from many government agencies and industry leaders including Microsoft, Red Hat, and Docker.  Over the coming weeks, we’ll be working to incorporate these contributions and publish the final version of the SP.  In the meantime, please check it out and let us know if you have questions about how Twistlock can help you follow its security recommendations.

← Back to All Posts Next Post →