Date Published: August 2017
Comments Due: August 25, 2017 (public comment period is CLOSED)
Email Questions to: NISTIR8176@nist.gov
Withdrawn: October 11, 2017
Author(s)
Ramaswamy Chandramouli (NIST)
Announcement
NIST requests comments on the release of Draft NISTIR 8176, Security Assurance Requirements for Linux Application Container Deployments.
Application Containers are slowly finding adoption in enterprise IT infrastructures. To address security concerns associated with deployment of application container platforms, NIST Special Publication 800-190 (2nd Draft), Application Container Security Guide, identified security threats to the components of the platform hosting the containers and related artifacts involved in building, storing and using container images. It has also proposed countermeasures for the following components: Hardware, Host OS, Container Runtime, Image, Registry and Orchestrator.
To implement the countermeasures one or more security solutions are needed. To assess the effectiveness of the security solutions implemented based on these recommendations, it is necessary to analyze them and outline the security assurance requirements they must satisfy to meet their intended objectives. This is the contribution of Draft NISTIR 8176. The focus is on application containers on Linux platforms.
The security solutions for which security assurance requirements have been derived cover the following areas:
- Hardware-based root of trust providing integrity for boot process,
- Configuration options using host OS kernel features and kernel loadable modules,
- Protection measures for building and storing container images, and
- Configuration options in Orchestrator tools used for rolling out a production infrastructure involving multiple containers and multiple hosts.
Application Containers are slowly finding adoption in enterprise IT infrastructures. Security guidelines and countermeasures have been proposed to address security concerns associated with the deployment of application container platforms. To assess the effectiveness of the security solutions implemented based on these recommendations, it is necessary to analyze them and outline the security assurance requirements they must satisfy to meet their intended objectives. This is the contribution of this document. The focus is on application containers on a Linux platform.
Application Containers are slowly finding adoption in enterprise IT infrastructures. Security guidelines and countermeasures have been proposed to address security concerns associated with the deployment of application container platforms. To assess the effectiveness of the security solutions...
See full abstract
Application Containers are slowly finding adoption in enterprise IT infrastructures. Security guidelines and countermeasures have been proposed to address security concerns associated with the deployment of application container platforms. To assess the effectiveness of the security solutions implemented based on these recommendations, it is necessary to analyze them and outline the security assurance requirements they must satisfy to meet their intended objectives. This is the contribution of this document. The focus is on application containers on a Linux platform.
Hide full abstract
Keywords
application container; capabilities; Cgroups; container image; container registry; kernel loadable module; Linux kernel; namespace; Trusted Platform Module
Control Families
Access Control;
Configuration Management;
System and Communications Protection;
System and Information Integrity;