The Container Compliance Almanac: NIST, PCI, GDPR and CIS

Learn about container compliance challenges, and discover guidelines for container compliance with leading standards and regulations

What is Container Compliance?

Containerized architecture has significantly changed the way software is developed, tested and deployed. There are major challenges in ensuring containers are compliant, and applying compliant security controls to this new type of infrastructure.

Most regulations were created before containers were prevalent, and do not have specific provisions explaining how containers should be protected. At the same time, containers create new types of security risks that must be addressed to prevent compliance violations.

In this post we’ll provide a brief overview and best practices for container compliance with several common compliance standards.

In this article, you will learn:

Container Compliance Challenges

Containers introduce dramatic changes to application development. They often drive an increase in the use of open-source components, and they also accelerate the pace of software development, challenging established security checkpoints. Containers may also introduce new vulnerabilities, and might not be compatible with existing existing version and configuration management processes.

Here are some of the key challenges facing organizations when ensuring containers are compliant:

  • Vulnerability management—containers often use open source images that can contain vulnerabilities. You should monitor these images and remediate vulnerabilities before using them in production.
  • Network security—it is difficult to track where containers are running and monitor network traffic between containers. However, putting such monitoring in place is essential to prevent unauthorized access and lateral movement.
  • Threat analysis and mitigation—a containerized environment must have policy-based security rules, and automatic scans to ensure that these rules are being met and prevent malicious activity.
  • User access control—only users or applications with specific task-related requirements should have access to a container, and access should be limited to the minimum actually needed.
  • Data protection—organizations need real-time visibility and an event audit trail for containerized environments. Access to sensitive data and systems (as defined in each compliance standard) must be logged and audited. This may not be supported by existing auditing methods.

NIST Compliance for Containers

The National Institute of Standards and Technology (NIST) has created a NIST NIST SP 800-190, a container security guide which includes practical recommendations for addressing security challenges in container-based environments. 

Here are key NIST recommendations to consider:

  • Manage image vulnerabilities—using a container-native vulnerability management solution that can integrate into your pipeline and uses policy-driven enforcement.
  • Image configuration defects—implement processes that validate and enforce image compliance. For example, control user access to runtime containers.
  • Embedded malware—continuously monitor images for embedded malware, including malware signature sets.
  • Insecure connections to registries—encrypt all connections to registries and any data that moves between registries and endpoints. 
  • Secure administrative access—make sure your orchestrators implement a
    “least privilege” access model to limit user access to sensitive resources.
  • Monitor container runtime for vulnerabilities—using tools that can automate vulnerability detection.
  • Minimize the attack surface—by using a container-specific OS when possible and continuously scanning the host for vulnerabilities. 
  • Do not mix non-containerized and containerized workloads—on the same host. Otherwise, you will not be able to easily apply countermeasures for container protection. 

Read our white paper: NIST Checklist for Container Security ›

PCI DSS Compliance for Containers

The Payment Card Industry Data Security Standard (PCI DSS) specifies how organizations should manage a cardholder data environment—an IT environment that manages credit cardholder data. 

Here are best practices for complying with PCI DSS in a containerized environment:

  • Vulnerability management—open-source container images may contain vulnerabilities. Images should be scanned before use, and securely stored, before being used in production.
  • Network security—in a cardholder data environment, it is important to track where containers are running, identify network connections between containers, and monitor them to prevent intrusion and lateral movement. 
  • Threat analysis and mitigation—the organization must have policy-based security rules, and the ability to automatically check that containers are in line with rules, to prevent malicious activity.
  • User access control, segregation of duties—every container should only be accessible to individuals or applications that need it for their specific function.
  • Data Protection—the organization must achieve real-time visibility of containers with full event audit trails. All access to PCI-sensitive containers must be logged and audited. These containers must also be backed up on a regular basis. Existing audit methods may not be sufficient to track data in a containerized environment, so organizations may have to use specialized cloud-native tools.
  • Separation of PCI from non-PCI containers—according to the requirements, PCI-sensitive systems should be run separately from non-PCI systems. In containers this means a combination of separate registries or image tags, labeling of services, namespaces in Kubernetes, separate hosts, or entirely separate clusters.

Learn more in our guide: PCI DSS for Containers ›

GDPR Compliance for Containers

The General Data Protection Regulation (GDPR) applies to any organization that stores or processes personally identifiable information (PII) of European Union (EU) citizens. 

When ensuring containerized environments are GDPR-compliant, there are a few key points to focus on:

  • Scan container images throughout the development lifecycle, to mitigate threats to PII stored on containers and integrated systems.
  • Track container activity, detect and respond to threats in real time.
  • Control user access to containers holding sensitive information.
  • Demonstrate compliance by establishing audit trails showing any container activity, and proving security measures are in place.

Here is a quick GDPR checklist that can help you assess and improve the GDPR compliance of your containerized environment:

  1. Data Protection Impact Assessment—perform risk assessment to identify container image vulnerabilities, inbound and outbound network connections, unregistered images and containers, hard-coded secrets, and overprovisioned permissions, and implement remediation measures.
  2. Security of Processing—define and control access to personal data. Remove unnecessary executables from images, strictly limit access of users and access to containers, and rotate secrets. Monitor container activity, detect anomalous behavior and react to it immediately.
  3. Data Breach Notifications—the GDPR requires organizations to provide notice of breaches, no later than 72 hours after they become aware of the breach. In most cases, the organization must notify data subjects affected by the breach. To enable rapid notification, the organization must have automated audit trails providing proof of compliance, including container KPI trends, remediation actions, security configuration changes, and timeliness of scans.

Learn more in our guide: GDPR Compliance Guide for Containers

CIS Benchmarks

The Center for Internet Security (CIS) publishes best practices for cybersecurity in different IT environments, including containerized environments. The CIS Benchmark documents are widely used in the industry to ensure secure and compliant configuration for containers. Multiple tools are available to automatically test containerized workloads for CIS best practices.

CIS Benchmark for Docker

Companies can use Docker’s CIS benchmarks to ensure that Docker containers and Docker runtimes are configured as securely as possible—including Docker host configuration, Daemon configuration, container runtime, and Docker Swarm configuration. 

Learn more in our guide to the Docker CIS Benchmark ›

Kubernetes CIS benchmark test

The Kubernetes CIS benchmark best practices are an important first step in protecting Kubernetes in production. The benchmark includes guidelines on securing the Kubernetes control plane, worker nodes, and setting security policies for RBAC, networking, and secrets.

Learn more in our guide to the Kubernetes CIS Benchmark

Container Compliance with Aqua Security