NIST container security guidelines: CoreOS has you covered

• By Neil McAllister

CoreOS was founded with the mission of securing the internet, and containerized infrastructure is a big part of how we’re achieving that aim. That’s why we were gratified to see the new guidance on application container security issued by the National Institute of Standards and Technology (NIST). In many ways, the report affirms the core principles upon which CoreOS was founded.

Cyber security experts are well acquainted with NIST. A division of the U.S. Department of Commerce, NIST provides technology, measurement, and standards for a wide range of industries. Its Computer Security Resource Center documents standards, guidelines, recommendations, and best practices for information security and privacy that inform the internal policies of countless organizations.

The primary publication in NIST's new guidance, the Application Container Security Guide, examines the unique security implications posed by containerized infrastructure and makes a number of recommendations. Not coincidentally, these recommendations overlap with how CoreOS has always designed and built software.

A secure operating system, built for containers

One of NIST's key recommendations is that the foundation of containerized infrastructure should be a minimalist, container-centric OS that is hardened against security threats.

"For organizations using container-specific OSs, the threats are typically more minimal to start with since the OSs are specifically designed to host containers and have other services and functionality disabled," the report states. "Further, because these optimized OSs are designed specifically for hosting containers, they typically feature read-only file systems and employ other hardening practices by default."

This is a near-perfect description of CoreOS Container Linux, our first product, mentioned in the report. Container Linux introduced the concept of a container-centric OS in 2013, and it quickly became an industry-leading OS for container deployments. We designed it to be lightweight enough to manage and run at massive scale, with just the minimum functionality required to support application containers. And most of the OS software resides on a read-only partition, so attackers can't inject unwanted or malicious binaries.

The NIST report also stresses the importance of keeping software up-to-date with security patches. Data breaches, DDoS attacks, and other information security threats are on the rise, including attacks launched by state actors. As we've seen in incident after incident, failure to apply security patches in a timely manner can be all attackers need to breach and run wild on private networks, sometimes with national security implications.

Containers help with security patch compliance, because their typically stateless nature means they can be easily destroyed and replaced with updated images. NIST also recommends using tools to scan for known CVEs, which CoreOS provides in the form of our Clair static analysis tool for containers.

But updating containerized applications alone isn't enough. "Organizations should use tools provided by the OS vendor or other trusted organizations to regularly check for and apply updates to all software components used within the OS," the NIST report states. Container Linux has always provided this capability, including not just the ability to apply OS updates automatically, but also to roll back gracefully in the event an update causes problems. CoreOS's Container Linux Update Operator can even automatically coordinate system restarts for updated Container Linux cluster nodes, so that overall cluster availability is preserved without human intervention.

With Tectonic, our enterprise-ready Kubernetes platform, we extend this auto-update capability to the container orchestration layer. Tectonic's self-hosted design means Kubernetes control components can be updated and patched just as easily as any other application running on the platform. And because Tectonic is built on Kubernetes, it enables the "declarative, step-by-step build approach" to infrastructure that NIST recommends.

If there's a central theme to the NIST recommendations, it's that a greater level of automation is essential to success with containerized infrastructure. "What used to be acceptable to do manually no longer is," the report states. CoreOS agrees, and that's why the Tectonic platform is focused on making it possible to deploy, configure, and manage cluster components and services. One example is Tectonic's Prometheus Operator, which provides automated operations for world-class infrastructure monitoring (another NIST recommendation). With these and other open services built on top of Kubernetes, customers can gain the ease and reliability they have come to expect from managed cloud offerings, only without the lock-in.

Containerize with confidence

Of course, automation alone is no guarantee of rock-solid security. Organizations that move to containerized infrastructure and application delivery will likely identify human processes that need to change, too. For this reason, we recommend you read the full NIST guidance and weigh for yourself how your organization is meeting its security requirements today, and how it might need to improve.

What's clear is that the importance of security can't be overemphasized. As software keeps eating the world, as Marc Andreessen famously described, and every company becomes a software company, robust information security becomes a shared responsibility for us all.

No doubt this can seem daunting. Faced with such a heavy burden, can a major technological shift such as containerization really be justified? Very much so, says NIST. Rather than creating new security challenges, "Containers are an enabling capability in organizations moving from reactive, manual, high-cost security models to those that enable better scale and efficiency, thus lowering risk."

At CoreOS, we've believed this all along. We see the emergence of new concepts and methodologies such as software defined infrastructure, immutable infrastructure, microservices and more as proof that the industry is undergoing a major evolution, and containerized infrastructure is right at the heart of it. CoreOS will continue to engineer our entire product line such that Container Linux and Tectonic customers have the most agile, most reliable, and most secure infrastructure available – whether that's on premises, within a data center, or on private or public clouds.

Try Tectonic

If you're new to containerized infrastructure, or you'd like to see how the CoreOS Tectonic Kubernetes platform helps deliver robust, easy-to-manage infrastructure that meets the NIST guidelines, we recommend the Tectonic Sandbox, our unique test and experimentation environment that runs on your local machine. No cloud credentials are required; you simply download the installer for macOS, Windows, or Linux and in short order you'll be up and running with a complete Tectonic Kubernetes demo environment that's suitable for non-production workloads.