Containers present many unique compliance challenges in terms of both visibility and the rate at which containers come and go in a production environment. To help address that issue, Aqua Security is working with the PCI Security Standards Council to better define how payment card industry (PCI) standards can be applied in a containerized environment.
Rani Osnat, vice president of marketing for Aqua Security, a provider of a framework for implementing security policies in containerized environments, says refinements to the Payment Card Industry Data Security Standard (PCI DSS) are needed to keep pace with the rate merchants are employing containers to drive a variety of digital business initiatives.
The challenge, says Osnat, is to demonstrate conclusively that not only can container deployments be audited, but also security policies can be attached to containers as they move around the enterprise or when they get replaced. That latter issue is especially troubling to auditors, because the average life cycle of a container is only a few minutes. In theory at least, IT environments that make use of containers are non-compliant the minute one set of containers is replaced by another. While naturally there’s a lot of temptation to be as agile as possible, IT organizations still need to be able to document the processes employed in replacing container functionality.
In general, Osnat says compliance issues are holding up adoption of containers in regulated industries that need to be able to produce an audit trail for updates made to any production environment. As a provider of a security framework that makes use of nanosegmentation to enforce security polices, Aqua Security plans to systematically work with every vertical industry standards body to refine compliance requirements to encourages confidence in the deployment of containers in production environments, Osnat says. That issue can be especially thorny when it comes to PCI DSS compliance, because many of the guidelines are open to interpretation by various developers and auditors tasked with determining PCI DSS compliance. In fact, there’s not much love lost between the payment card providers that oversee the PCI DSS standard and organizations that process credit card payments.
In the meantime, researchers from Aqua Security will be demonstrating at the Black Hat 2017 conference just how vulnerable containers can be when they make use of a Docker API listening for TCP connections on their own local machines. According to the Aqua researchers, developers visiting a malicious web page can end up with a reverse shell to their internal network that can remain persistent without being detected. None of that means that Docker containers are really any less secure than any other platform. But there are nuances developers and IT security professionals need to fully appreciate when deploying containers in a production environment.