Back

Install and maintain container security solutions.


CONTROL ID
16178
CONTROL TYPE
Technical Security
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Install security and protection software, as necessary., CC ID: 00575

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Verify that the firmware apps utilize kernel containers for isolation between apps. (C.32, Application Security Verification Standard 4.0.3, 4.0.3)
  • Additionally, traditional security controls, such as firewalls and intrusion detection systems, may not be effective because containers may obscure activities; therefore, container-specific security solutions should be implemented. (Risk Management Audit and Controls Assessment Bullet 3 Sub-bullet 2 ¶ 1, FFIEC Security in a Cloud Computing Environment)
  • While most container runtime environments do an effective job of isolating containers from each other and from the host OS, in some cases it may be an unnecessary risk to run apps of different sensitivity levels together on the same host OS. Segmenting containers by purpose, sensitivity, and threat … (4.3.4 ¶ 2, NIST SP 800-190, Application Container Security Guide)
  • Orchestrators should be configured to isolate deployments to specific sets of hosts by sensitivity levels. The particular approach for implementing this varies depending on the orchestrator in use, but the general model is to define rules that prevent high sensitivity workloads from being placed on … (4.3.4 ¶ 1, NIST SP 800-190, Application Container Security Guide)
  • The container runtime must be carefully monitored for vulnerabilities, and when problems are detected, they must be remediated quickly. A vulnerable runtime exposes all containers it supports, as well as the host itself, to potentially significant risk. Organizations should use tools to look for Com… (4.4.1 ¶ 1, NIST SP 800-190, Application Container Security Guide)
  • Security must be as portable as the containers themselves, so organizations should adopt techniques and tools that are open and work across platforms and environments. Many organizations will see developers build in one environment, test in another, and deploy in a third, so having consistency in as… (7 ¶ 6, NIST SP 800-190, Application Container Security Guide)
  • Organizations should consider how other security policies may be affected by containers and adjust these policies as needed to take containers into consideration. For example, policies for incident response (especially forensics) and vulnerability management may need to be adjusted to take into acco… (6.1 ¶ 1, NIST SP 800-190, Application Container Security Guide)
  • The introduction of container technologies might disrupt the existing culture and software development methodologies within the organization. To take full advantage of the benefits containers can provide, the organization's processes should be tailored to support this new way of developing, running,… (6.1 ¶ 2, NIST SP 800-190, Application Container Security Guide)
  • In container environments there are many more entities, so security processes and tools must be able to scale accordingly. Scale does not just mean the total number of objects supported in a database, but also how effectively and autonomously policy can be managed. Many organizations struggle with t… (7 ¶ 3, NIST SP 800-190, Application Container Security Guide)
  • The risk of using stale images can be mitigated through two primary methods. First, organizations can prune registries of unsafe, vulnerable images that should no longer be used. This process can be automated based on time triggers and labels associated with images. Second, operational practices sho… (4.2.2 ¶ 1, NIST SP 800-190, Application Container Security Guide)
  • Operational processes that are particularly important for maintaining the security of container technologies, and thus should be performed regularly, include updating all images and distributing those updated images to containers to take the place of older images. Other security best practices, such… (6.4 ¶ 1, NIST SP 800-190, Application Container Security Guide)
  • If and when security incidents occur within a containerized environment, organizations should be prepared to respond with processes and tools that are optimized for the unique aspects of containers. The core guidance outlined in NIST SP 800-61, Computer Security Incident Handling Guide, is very much… (6.4 ¶ 2, NIST SP 800-190, Application Container Security Guide)
  • Existing host-based intrusion detection processes and tools are often unable to detect and prevent attacks within containers due to the differing technical architecture and operational practices previously discussed. Organizations should implement additional tools that are container aware and design… (4.4.4 ¶ 1, NIST SP 800-190, Application Container Security Guide)