One of the cool things about working in this dynamic space of containers and cloud native apps is the ability to really shape the future. I’ve always thought that you make that impact through three main ways: the product you build, how it helps customers achieve their goals, and what you contribute to the community. We’ve been proud to contribute many security capabilities to Docker and OpenShift in the open source and have more on the way. Beyond the code, though, we’ve also been actively contributing to the body of knowledge around best practices for container security. The NIST SP Container Security Guide draft is the latest example of how Twistlock contributes to shaping best practices for organizations using containers.
We had the honor to help lead the development of the new NIST Special Publication, SP-800-190, the Container Security Guide. During my time at Microsoft, we always greatly valued the insights and partnerships with the NIST team in developing security standards that literally helped protect hundreds of millions of PCs and servers around the world. So, it’s been a real privilege to help lead similar work to protect what will one day probably be billions of containers.
NIST 800 series Special Publications are often seen as the gold standard for understanding the threats and countermeasures for protecting critical software infrastructure. As NIST themselves modestly puts it:
“NIST uses three NIST Special Publication subseries to publish computer/cyber/information security and guidelines, recommendations and reference materials:
SP 800, Computer Security (December 1990-present)
NIST’s primary mode of publishing computer/cyber/information security guidelines, recommendations and reference materials”
Special publications exist for server operating systems, hypervisors, and cloud services, and are developed once a technology has strong market traction. So, I also see the existence of the SP as a great validation of containers as a first tier enterprise technology.
The Container Security Guide takes the same, consistent threat modeling approach in SP 800-154 and applies it to the entire cloud native ‘stack’ from hypervisor, to container runtime, to orchestrator, and across the whole app lifecycle from the beginning of the CI process to production. The guide is designed to provide a diverse set of readers, from engineers to CISOs, with a clear understanding of the threat model and recommended defenses for a cloud native environment.
We announced the availability of the SP and our role its development at DockerCon, and during the comment period we received comments and contributions from many government agencies and industry leaders including Microsoft, Red Hat, and Docker. Over the coming weeks, we’ll be working to incorporate these contributions and publish the final version of the SP. In the meantime, please check it out and let us know if you have questions about how Twistlock can help you follow its security recommendations.
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
Cryptomining Malware Emerges
I have been watching for the spread of malware that, primarily, uses c...
Calling the Twistlock API from PowerShell
The Problem This morning, a colleague was looking for situations where...
What Makes Distributed Security ‘Cloud Native’: Podcast Overview
I caught up with Scott Fulton III on this edition of The New Stack Mak...
Reflections on the 20th Anniversary of Open Source Technology
Exactly twenty years ago in February 1998, the term “open source” ...
Enhanced Syslog Data Streams: 2.3 Deep Dive
In each of our Twistlock releases, we publish some truly remarkable fe...