Security Think Tank: Container security is evolving, so must CISOs

A number of articles on containerisation have been published over the past couple of years. I wrote one on Linux implementations in January 2019, but since that time, Microsoft has been flexing its muscles in that area and there have been a number of new entrants.

Prior to containerisation, the only option was to virtualise the server hardware, and in the process create multiple versions of the hardware – each virtual server then needed to run its own licensed operating system. In containerisation, rather than virtualise a host server’s hardware, you essentially virtualise a server’s operating system (OS). This, in turn, can lead to greater efficiency in an IT infrastructure as containers are much smaller than a virtual server running its own OS.

In earlier containerisation, the containers were operating system dependant, so a container written for a Linux distribution would not run on a Microsoft system, for example. However, things have moved on apace, and you now can get OS virtualisation software that is not only available for different OS platforms, but offers a common and consistent set of container support functions, such as application programming interfaces (APIs).

In this way, containers become portable between differing OS platforms. You can, of course, run containerisation on virtualised servers, and typically that is what you would get when running IT in the cloud.

Life is getting quite complex for the chief information security officer (CISO), with containers running on virtualised servers potentially in a cloud supplier’s remote datacentre. The question is, how does the CISO safeguard the company’s data? It’s back to basics, together with a realisation that we are dealing with multiple layers of software. The CISO’s job therefore includes, as a main function, ensuring the basics are in place and being adhered to. Those basics can be summarised as:

• Having formal policies, procedures, standards and work practice documentation in place. These should be easy to access (intranet, for example) and regularly maintained to ensure that:
  • The latest vendor-supported software or firmware is being employed, not only at the OS level but at the virtualisation level, server hardware and application level, where appropriate;
  • All software is routinely patched, with security patches applied as a priority;
  • All software is configured, not just for function and performance, but also for good security;
  • Staff are trained and competent not only to undertake effective configuration of the various levels of software, but also to understand the interaction between the various software levels – for example, server hardware BIOS, virtualising server hypervisor, server operating system, OS virtualising software and the containers themselves;
  • That comprehensive monitoring and management systems are in place together with incident reporting, investigation, management and resolution processes.
• Having audit mechanisms in place to regularly check that the policies, procedures, standards and work practices comply with company governance and compliance requirements, are being used and are fit for purpose.
• Ensuring that all systems are regularly and independently checked by external professional companies for security, not only from the internet, but also at the infrastructure and server level.
• Where some or a majority of a company’s IT is outsourced, the CISO must ensure that:
  • Contracts accurately reflect a company’s policies and standards, and appropriately addresses a company’s governance and compliance requirements. The company must have these as a company cannot outsource its compliance responsibility (for example, the General Data Protection Regulation and the Data Protection Act 2018);
  • Security is covered in contracts in detail;
  • The contract allows for independent testing of the company’s outsourced IT;
  • The interface between the outsourcer and the company is clearly identified and covers not just operation and management issues, but also has a clear definition of which party is responsible for what functions. This is particularly important for security monitoring and incident reporting and management.