Most of us at Twistlock come from enterprise backgrounds so we have a personal understanding of the importance of compliance to customers. We’ve not only helped shaped industry best practices including the Kubernetes CIS Benchmark and NIST SP 800-190, but also in thinking about how these technical recommendations map back to overarching standards like PCI and HIPAA. We were excited to see that the PCI Security Standard Council (which we’re a member of) recently published an update to the PCI SSC Cloud Computing Guidelines from their Cloud SIG.
Container compliance in PCI Guidelines version 3.0
This 3.0 release of the Cloud Guidelines is the first major update in 5 years and includes new guidance on Containers, as well as other cloud related technologies. Section E.7 is specifically focused on containers and covers recommended practices for securing containers used in card processing systems. We’ll look at the specific recommendations later in this piece, but I first wanted to cover how we think about compliance settings and policies in the product generally.
Because Twistlock is used by customers in many different industries and countries, we need to provide compliance capabilities touching a wide variety of standards, such as PCI, FISMA, and GDPR. Most of the standards pre-date containers but the core requirements around confidentiality, integrity, and availability haven’t changed; it’s just the specific technical mechanisms that may be different for containers versus traditional systems. At the same time, every customer will have specific requirements that they want for their own environments that balance risks and remediations that may be unique to them. As such, we don’t want to offer static rules hardcoded to individual standards, but instead to provide a flexible framework with prebuilt templates that can be tuned as needed.
Within our compliance feature, we have >250 total compliance checks that can be monitored and enforced across hosts, orchestrators, containers, and images. These checks include, and are directly aligned with, the CIS Benchmarks for Linux, Docker, and Kubernetes, as well as checks Twistlock Labs added that aren’t included in the benchmarks, such as looking for malware or embedded clear text keys. Additionally, our research team has gone through and scored each of these checks (aligned with CVSS naming conventions) to make it easier to focus on the most important ones.
As a user, you can build your own unique compliance rules by hand directly from these checks. To make this even easier, though, we’ve also gone through major standards like PCI, HIPAA, and GDPR and considered which pieces of each of them are relevant to containers and ship pre-built templates for them with the recommended checks included. Thus, if you’re running containers in a PCI compliant environment, you can simply select our PCI template, creating a pre-built rule with all our recommendations, then make any adjustments needed for your environment.
Now that we’ve talked about how compliance works in Twistlock, let’s look at the new PCI Cloud Guidelines. The guide leverages a lot of the best practices from NIST SP 800-190, so the recommendations are all things already covered in Twistlock compliance policies. For example, key recommendations include RBAC for the orchestrators and containers themselves, process isolation, auditing, and vulnerability management. Additionally, the guide also recommends pushing these requirements upstream in the CI/CD processes, something we’ve long believed to be a key advantage of containers as well, and why you can monitor and enforce not just vulnerabilities but also compliance posture in our CI plugins.
Workload isolation, monitoring, and visibility
The guide also has a strong focus on workload isolation, another key recommendation from NIST SP 800-190. While this zoning of workloads is largely the responsibility of the orchestrator rather than the security tool, Twistlock’s multi-tenancy feature makes it easy to have a single security tool that spans across all your environments, including isolated PCI workloads. Finally, the guide emphasizes the need for ongoing monitoring and visibility, especially since containers are relatively much shorter lived than traditional systems:
“Many organizations have struggled to address quarterly and annual PCI DSS requirements for containers that may be created, run, retired and destroyed in a matter of days or hours. In some cases, a check of the container fleet may occur every week, such as for file integrity monitoring for PCI DSS Requirement 11.5, or over the course of weeks or months in the case of a penetration test. In cases where the container life cycle is shorter than the duration of a given PCI DSS control, consider sampling running instances across all in-scope container images (see Section E.9, “Elastic Resources Inventory and Control,” for further information).”
Twistlock is built to provide real time monitoring of not just file integrity, but also process, file system, and system call behavior, and to not just report on those anomalies but actively prevent them. This data is available not just in the Twistlock UI but also in standard RFC compliance syslog and as open JSON objects via our RESTful API. Additionally, our Compliance Explorer dashboard gives you a real time view of compliance posture, trends, and outliers across your environments so you always have this up to date view. If you need to provide this data to auditors, it too is available through syslog and the API, or you can simply assign your audit team members the Twistlock Auditor role, granting them read only access to this data in our Console.
For more information about Twistlock PCI compliance features, check out our official Guide to PCI Compliance for Containers. To learn more about the NIST SP, download our Companion Guide to NIST’s Container Security SP.
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.
How to Lock Down the Kernel to Secure the Container HostRead the Blog
One Chapter Ends, Another BeginsRead the Blog
The Greatest Security Risks Lurking in Your CI/CD PipelineRead the Blog
Cloud Platform Radar: Powerful Cloud Asset IdentificationRead the Blog
Securing Serverless Functions: Visibility with Serverless RadarRead the Blog