Companion Guide to NIST's Container Security SP
NIST (National Institute of Standards and Technology) develops standards and guidelines for computer systems belonging to federal agencies (with the exception of classified computer systems which are under the purview of the NSA). Included in NIST’s body of work is the development of the special publication 800 series, which draws from industry, government, and academia to provide guidelines and recommendations that cover cyber, computer, and information security. Included in NIST’s recent special publications was (SP) 800-190, which provides guidance on container security and serves as an excellent starting point for developing security standards (as well as achieving NIST compliance) for cloud native environments.
Understanding NIST SP 800-190
This NIST special publication describes in detail both the security risks involved with containerized apps and the effective security measures necessary to mitigate these risks. Some may mistakenly think that these guidelines are only of interest to federal agencies, but nothing could be further from the truth. By sharing these findings, NIST goes beyond concerns of national security and federal information processing standards and makes it possible for nonfederal information systems and organizations to develop security plans that are equally as robust. In short, NIST compliance is not just for government agencies and their service providers.
What is NIST Compliance?
Government agencies are expected to comply with NIST security standards and guidelines within a year of the NIST SP 800-190 release date and any federal information systems currently under development are expected to be compliant when they are deployed. Note that NIST compliance is also vital for those receiving federal contract awards and can impact contractor information systems and others in the supply chain.
Those in industry, however, have more time. Companies can not only look to NIST SP 800-190 to learn about vulnerabilities and risk management of containerized systems but also for guidelines for developing a strong security plan, assessment process, access controls, privacy controls, incident response, and security standards. Like NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations), this special publication is free and available to the public–making it an invaluable resource for non-federal organizations. In addition, NIST compliance also makes it easier for companies to achieve compliance with other types of standards and regulations, such as HIPAA. Simply put, NIST compliance requirements are not just for the Department of Defense but applies to any organization that is using a cloud native environment or containerized apps.
NIST Security Risks
There are several different security risks discussed in NIST SP 800-190, including the following:
- Compromised container images
- Incorrectly configured container images
- Use of untrusted images
- Risks involving clear text secrets
- Incorrectly configured access control
- Failure to automate security processes
- Unnecessarily large attack surfaces
- Problems with orchestrator node trust
- Failure to secure both containers and the underlying stack
- Vulnerabilities in the operating system
- Updating approaches to container security as well as security controls for the containers
These and other issues have been identified within SP 800-190 as being among the most pressing risks for containerized apps and cloud native environments. Failure to perform security assessments and provide adequate risk management for these vulnerabilities is no longer acceptable for the federal government, and should no longer be acceptable for nonfederal information systems and organizations. Thorough risk assessment and the development of appropriate countermeasures are vital in response to the publication of SP 800-90.
NIST Vulnerability Management Tools
In order to achieve NIST compliance and secure containerized apps, there are container-specific security tools that need to be implemented. These tools not only find vulnerabilities but address them. For example, there is an obvious need for a tool to handle vulnerability scanning in the continuous integration/continuous deployment (CI/CD) pipeline, dealing with these problems before they ever make it to the container registry. Developers also need a tool to scan images NIST compliance before checking that code into a source control system. Tools for monitoring images and containers for potential vulnerabilities are another must to achieve NIST compliance. Tools that provide key information such as risk trees and ranked vulnerabilities in the system are also a must. Security controls can be difficult to implement when little is known about the exact issues your system is facing.
Security Tools & NIST Security Standards
In order to achieve NIST compliance and know that your containers and images are truly secure, you need to implement security tools that support NIST security standards. The old approach to addressing threats–manually creating security rules–simply will not work if your goal is achieving NIST compliance. A robust NIST cybersecurity framework that uses machine learning and runtime analysis is a must. Not just any set of security tools can address the threats outlined in NIST SP 800-190, such as image vulnerabilities, embedded malware, untrusted images, and registry authentication.
Companion Guide to NIST’s Container Security SP
Twistlock’s Companion Guide to NIST Container Security SP is designed to provide a diverse set of readers–from engineers to chief information officers to CISOs–with a clear understanding of the threat model and recommended defenses for a cloud native environment. The guide addresses top challenges and helps organizations enable countermeasures, specifically through Twistlock, that meet NIST compliance guidelines more quickly and easily.
Download this guide to learn:
- Threats and risks present for government organizations and enterprises deploying modern applications
- Core requirements for securing containerized applications
- Official mappings to Twistlock for quickly and easily implementing the requirements
John Morello, CTO of Twistlock, partnered with NIST to draft SP 800-190 and had this to say about the SP and Twistlock’s companion guide: “The existence of the container security SP is a great validation of containers as a first tier enterprise technology. But, implementation comes with its challenges. Enforcing compliance across the entire cloud native ‘stack’ isn’t easy. The Twistlock Companion Guide sets out to solve those challenges, taking a prescriptive approach to the steps required to enforce NIST compliance, so it acts as a sort of deployment template. By enabling countermeasures through Twistlock, organizations can implement the NIST recommendations with minimal extra configuration.”