Just as importantly, the NIST 800-190 stresses the need for organizations to approach security for containerized applications in a different way than they did for traditional applications. Containerized applications have different risk factors than virtual machines and require a different set of security practices.
NIST 800-190 requires organizations to:
Use purpose-built tools to manage image vulnerabilities throughout the entire image lifecycle, from build through deploy and runtime.
Ensure that images comply with configuration best practices.
Protect secrets by storing them outside the image, using Kubernetes to manage secrets, restrict access to secrets to those containers that need them and encrypt secrets at rest and in transit.
Use a secure connection when pushing or pulling from the registry.
Ensure that the container always uses the latest image version.
Segment network traffic, at the very least to isolate sensitive from non-sensitive networks.
Use Kubernetes to securely introduce nodes and keep an inventory of nodes and their connectivity states.
Control outbound traffic from containers.
Ensure continual compliance with container runtime configurations standards such as the CIS benchmarks.
Use security controls to detect threats and potential intrusions at the container and infrastructure level.
Use a hardened, container-specific operating system with an attack surface that is as small as possible.
Prevent host file system tampering by ensuring containers have as few permissions as possible to function as designed.
Even organizations who don’t need to comply with the NIST 800-190 requirements should consider them a useful framework for improving the organization’s security posture. They ensure organizations are thinking about security throughout the build, deploy and runtime phases, addressing the unique security requirements of each stage.