NIST container security guidelines: CoreOS has you covered

综合技术 2017-11-21 阅读原文

CoreOS was founded with the mission of securing the internet, and containerized infrastructure is a big part of how we’re achieving that aim. That’s why we were gratified to see the new guidance on application container security
issued by the National Institute of Standards and Technology (NIST). In many ways, the report affirms the core principles upon which CoreOS was founded.

Cyber security experts are well acquainted with NIST. A division of the U.S. Department of Commerce, NIST provides technology, measurement, and standards for a wide range of industries. Its Computer Security Resource Center
documents standards, guidelines, recommendations, and best practices for information security and privacy that inform the internal policies of countless organizations.

The primary publication in NIST's new guidance, the
Application Container Security Guide

, examines the unique security implications posed by containerized infrastructure and makes a number of recommendations. Not coincidentally, these recommendations overlap with how CoreOS has always designed and built software.

A secure operating system, built for containers

One of NIST's key recommendations is that the foundation of containerized infrastructure should be a minimalist, container-centric OS that is hardened against security threats.

"For organizations using container-specific OSs, the threats are typically more minimal to start with since the OSs are specifically designed to host containers and have other services and functionality disabled," the report states. "Further, because these optimized OSs are designed specifically for hosting containers, they typically feature read-only file systems and employ other hardening practices by default."

This is a near-perfect description of CoreOS Container Linux
, our first product, mentioned in the report. Container Linux introduced the concept of a container-centric OS in 2013, and it quickly became an industry-leading OS for container deployments. We designed it to be lightweight enough to manage and run at massive scale, with just the minimum functionality required to support application containers. And most of the OS software resides on a read-only partition, so attackers can't inject unwanted or malicious binaries.

Updates on time, every time

The NIST report also stresses the importance of keeping software up-to-date with security patches. Data breaches, DDoS attacks, and other information security threats are on the rise, including attacks launched by state actors. As we've seen in incident after incident, failure to apply security patches in a timely manner can be all attackers need to breach and run wild on private networks, sometimes with national security implications.

Containers help with security patch compliance, because their typically stateless nature means they can be easily destroyed and replaced with updated images. NIST also recommends using tools to scan for known CVEs, which CoreOS provides in the form of ourClair static analysis tool for containers.

But updating containerized applications alone isn't enough. "Organizations should use tools provided by the OS vendor or other trusted organizations to regularly check for and apply updates to all software components used within the OS," the NIST report states. Container Linux has always provided this capability, including not just the ability to apply OS updates automatically, but also to roll back gracefully in the event an update causes problems. CoreOS's Container Linux Update Operator
can even automatically coordinate system restarts for updated Container Linux cluster nodes, so that overall cluster availability is preserved without human intervention.

With Tectonic, our enterprise-ready Kubernetes platform, we extend this auto-update capability to the container orchestration layer. Tectonic'sself-hosted design means Kubernetes control components can be updated and patched just as easily as any other application running on the platform. And because Tectonic is built on Kubernetes, it enables the "declarative, step-by-step build approach" to infrastructure that NIST recommends.

If there's a central theme to the NIST recommendations, it's that a greater level of automation is essential to success with containerized infrastructure. "What used to be acceptable to do manually no longer is," the report states. CoreOS agrees, and that's why the Tectonic platform is focused on making it possible to deploy, configure, and manage cluster components and services. One example is Tectonic'sPrometheus Operator, which provides automated operations for world-class infrastructure monitoring (another NIST recommendation). With these and other open services built on top of Kubernetes, customers can gain the ease and reliability they have come to expect from managed cloud offerings, only without the lock-in.

Containerize with confidence

Of course, automation alone is no guarantee of rock-solid security. Organizations that move to containerized infrastructure and application delivery will likely identify human processes that need to change, too. For this reason, we recommend you read the full NIST guidance
and weigh for yourself how your organization is meeting its security requirements today, and how it might need to improve.

What's clear is that the importance of security can't be overemphasized. As software keeps eating the world, as Marc Andreessen famously described, and every company becomes a software company, robust information security becomes a shared responsibility for us all.

No doubt this can seem daunting. Faced with such a heavy burden, can a major technological shift such as containerization really be justified? Very much so, says NIST. Rather than creating new security challenges, "Containers are an enabling capability in organizations moving from reactive, manual, high-cost security models to those that enable better scale and efficiency, thus lowering risk."

At CoreOS, we've believed this all along. We see the emergence of new concepts and methodologies such as software defined infrastructure, immutable infrastructure, microservices and more as proof that the industry is undergoing a major evolution, and containerized infrastructure is right at the heart of it. CoreOS will continue to engineer our entire product line such that Container Linux and Tectonic customers have the most agile, most reliable, and most secure infrastructure available – whether that's on premises, within a data center, or on private or public clouds.

Try Tectonic

If you're new to containerized infrastructure, or you'd like to see how the CoreOS Tectonic Kubernetes platform helps deliver robust, easy-to-manage infrastructure that meets the NIST guidelines, we recommend the Tectonic Sandbox
, our unique test and experimentation environment that runs on your local machine. No cloud credentials are required; you simply download the installer for macOS, Windows, or Linux and in short order you'll be up and running with a complete Tectonic Kubernetes demo environment that's suitable for non-production workloads.

CoreOS Blog

责编内容by:CoreOS Blog阅读原文】。感谢您的支持!


安全研究报告:电商网站 91% 的登录访问来自黑客攻击... 摘要: 网络安全公司 Shape Security 发布了一份 2017 年全球身份信息泄露报告,报告指出电商网站 91% 的登录流量来自黑客的撞库攻击。 Shape Security 是加利福尼亚的一家网络安全创业公司,创始人曾是五角大楼的安全顾问。Shape 主要... 网络安全公司 S...
网信办出实名制新规,留言、弹幕都需认证后才能发布... 来源: 中国网信网 国家互联网信息办公室8月25日公布《互联网跟帖评论服务管理规定》(以下简称《规定》),自2017年10月1日起施行。国家互联网信息办公室有关负责人表示,出台《规定》旨在深入贯彻《网络安全法》精神,提高互联网跟帖评论服务管理的规范...
General Data Protection Regulation (GDPR) requirem... Companies that do business in European Union countries will need to comply with strict new rules around protecting customer data within the next y...
启迪网安:创新生态亮相国家网络安全宣传周... 摘要: 9月21日,武汉市2018年国家网络安全宣传周活动正式启幕,启迪网安公司重磅亮相活动现场,秉持大会“网络安全为人民,网络安全靠人民”的主题,展现启迪网安在网络安全领域的努力与成绩。 图注:展会首日,湖北省委常委、宣传部部长王艳玲等领导一行参观启迪网安展位 ... 9月21日,...
WAFs Should Do A Lot More Against Current Threats ... Looking in the rearview mirror The application threat landscape has rapidly evolved. For years, users consumed applications over the internet using...