How to Secure Containers Using the NIST SP 800-190 Guide
Container adoption is on the rise as organizations adopt microservices and convert monolithic applications to a container environment or build new applications in a cloud native fashion. As these applications move into production it becomes critical to secure containers against malicious attacks such as data stealing, malware, and crypto mining.
NIST SP 800-190 focuses on potential security concerns of containers and provides recommendations for addressing these concerns. Containers are ephemeral and immutable, driving three main challenges on which NIST focuses:
- Scale. A typical container environment may have 100s or 1000s of containers. A container infrastructure is a dynamic environment so one minute there may be 10 active containers and the next minute there may be 1000 active containers. The container security solution must be able to scale accordingly. Also, most container communications are inter-container (east-west), so it is imperative that the container security solution embeds in the container infrastructure, protecting and providing visibility into this network traffic.
- Automation. As NIST states “automation is not just important to deal with the net number of entities, but also with how frequently those entities change.” Automation is central to container management and is the basis for the continuous integration/continuous deployment (CI/CD) pipeline. The container security solution must fully integrate into the automated processes and applications (e.g., Jenkins for CI/CD orchestration, Git for image repository, and JFrog Artifactory for image scanning), for all phases from build to ship to run-time.
- Central policy management and enforcement. The only way to enforce security policies in a rapidly scaling, automated infrastructure is via centralized policy expression and strict enforcement of software management policies. The container security solution must be policy aware and able to track policy violations and act accordingly: alert and enforce. As discussed below, this includes the ability to automatically quarantine containers that are violating policy.
Watch the Webinar for an Overview of NIST SP 800-190
NeuVector Support of NIST Countermeasure Recommendations
Download the NeuVector NIST document to learn how the NeuVector container network security solution addresses specific countermeasures (listed in section 4.0) against the container challenges that NIST SP 800-190 discusses in Section 3.0.
Key areas of the NIST SP 800-190 Guide for image vulnerability management, admission control, registry management, orchestrator security, run-time security and network segmentation are addressed by the NeuVector solution and the itemized counter measures are provided in the document.
4.1 Image Countermeasures
4.2 Registry Countermeasures
4.3 Orchestrator Countermeasures
4.4 Container Countermeasures
4.5 Host OS Countermeasures
6.x Container Life Cycle Security
NeuVector Support of NIST Container Life Cycle Security
NIST makes it clear that continuous integration and continuous delivery are vital aspects of the container build, ship, and run lifecycle. To this end, Section 6.0 of NIST SP 800-190 discusses container technology lifecycle security considerations. It is imperative that any evaluation of container security solutions addresses both the NIST countermeasures of Section 4.0 AND the container lifecycle security considerations of Section 6.0.
NeuVector fully integrates with the CI/CD pipeline to provide security throughout the build, ship, and run phases of the software life cycle. As a host-based container firewall, NeuVector provides efficient local monitoring and protection in a fully scalable fashion that matches the dynamics of a typical container environment.
Extending NIST Guidance for Defense In Depth
The NIST SP 800-190 guide is quite proactive in addressing container security, especially considering that many organizations are just at the beginning of their container and CI/CD initiatives. NIST recognizes that containers open the door to improving security posture, yet at the same time, containers significantly increase the potential attack surface and the risk of introducing new vulnerabilities into the infrastructure. Protecting against these increased risks requires focusing on the specific countermeasures to address container security challenges in the context of the greater container lifecycle perspective.
However, the NIST SP 800-190 document places more emphasis on the pre-production (prevention) phases of container development than on the run-time container security requirements. The best preventive security will not wholly eliminate damaging attacks from insiders and zero-day exploits. It is critical to implement strong container network security to detect and prevent the types of data breaches organizations have experienced over the last few years.
Defense in depth for container deployments should include:
- A layer 7 container firewall with deep packet inspection (DPI) and multi-protocol application segmentation
- Built-in network attack detection such as DNS, DDoS, SQL injection, etc.
- Sensitive data detection in unencrypted network communication
- Auto-segmentation of workloads for PCI and non-PCI firewalling
- Monitoring of Kubernetes system containers network behavior
- Automated packet capture for debugging and forensics
- Real-time connection visualization and network attack display
NeuVector is uniquely positioned to address both the specific container security countermeasures and full security throughout the container lifecycle. With the only true layer 7 container firewall available today, NeuVector provides unprecedented cloud-native visibility and protection for container deployments in production.