Application Container Security Guide NIST SP 800 190 Guide, 2017 09 25

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 63

DownloadApplication Container Security Guide NIST SP 800-190 Guide, 2017-09-25
Open PDF In BrowserView PDF
NIST Special Publication 800-190

Application Container Security Guide
Murugiah Souppaya
John Morello
Karen Scarfone

This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-190

C O M P U T E R

S E C U R I T Y

NIST Special Publication 800-190

Application Container Security Guide
Murugiah Souppaya
Computer Security Division
Information Technology Laboratory
John Morello
Twistlock
Baton Rouge, Louisiana
Karen Scarfone
Scarfone Cybersecurity
Clifton, Virginia

This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-190

September 2017

U.S. Department of Commerce
Wilbur L. Ross, Jr., Secretary
National Institute of Standards and Technology
Kent Rochford, Acting Under Secretary of Commerce for Standards and Technology and Acting Director

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

Authority
This publication has been developed by NIST in accordance with its statutory responsibilities under the
Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law
(P.L.) 113-283. NIST is responsible for developing information security standards and guidelines,
including minimum requirements for federal information systems, but such standards and guidelines shall
not apply to national security systems without the express approval of appropriate federal officials
exercising policy authority over such systems. This guideline is consistent with the requirements of the
Office of Management and Budget (OMB) Circular A-130.

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

Nothing in this publication should be taken to contradict the standards and guidelines made mandatory
and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should
these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of
Commerce, Director of the OMB, or any other federal official. This publication may be used by
nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States.
Attribution would, however, be appreciated by NIST.
National Institute of Standards and Technology Special Publication 800-190
Natl. Inst. Stand. Technol. Spec. Publ. 800-190, 63 pages (September 2017)
CODEN: NSPUE2
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-190
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an
experimental procedure or concept adequately. Such identification is not intended to imply recommendation or
endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best
available for the purpose.
There may be references in this publication to other publications currently under development by NIST in
accordance with its assigned statutory responsibilities. The information in this publication, including concepts and
methodologies, may be used by federal agencies even before the completion of such companion publications. Thus,
until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain
operative. For planning and transition purposes, federal agencies may wish to closely follow the development of
these new publications by NIST.
Organizations are encouraged to review all draft publications during public comment periods and provide feedback
to NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at
https://csrc.nist.gov/publications.

Comments on this publication may be submitted to:
National Institute of Standards and Technology
Attn: Computer Security Division, Information Technology Laboratory
100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930
Email: 800-190comments@nist.gov

All comments are subject to release under the Freedom of Information Act (FOIA).

i

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

Reports on Computer Systems Technology

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

The Information Technology Laboratory (ITL) at the National Institute of Standards and
Technology (NIST) promotes the U.S. economy and public welfare by providing technical
leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test
methods, reference data, proof of concept implementations, and technical analyses to advance
the development and productive use of information technology. ITL’s responsibilities include the
development of management, administrative, technical, and physical standards and guidelines for
the cost-effective security and privacy of other than national security-related information in
federal information systems. The Special Publication 800-series reports on ITL’s research,
guidelines, and outreach efforts in information system security, and its collaborative activities
with industry, government, and academic organizations.

Abstract
Application container technologies, also known as containers, are a form of operating system
virtualization combined with application software packaging. Containers provide a portable,
reusable, and automatable way to package and run applications. This publication explains the
potential security concerns associated with the use of containers and provides recommendations
for addressing these concerns.

Keywords
application; application container; application software packaging; container; container security;
isolation; operating system virtualization; virtualization

ii

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

Acknowledgements
The authors wish to thank their colleagues who have reviewed drafts of this document and
contributed to its technical content during its development, in particular Raghuram Yeluri from
Intel Corporation, Paul Cichonski from Cisco Systems, Inc., Michael Bartock and Jeffrey
Cichonski from NIST, and Edward Siewick. The authors also acknowledge the organizations that
provided feedback during the public comment period, including Docker, Motorola Solutions,
StackRox, United States Citizenship and Immigration Services (USCIS), and the US Army.

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

Audience
The intended audience for this document is system and security administrators, security program
managers, information system security officers, application developers, and others who have
responsibilities for or are otherwise interested in the security of application container
technologies.
This document assumes that readers have some operating system, networking, and security
expertise, as well as expertise with virtualization technologies (hypervisors and virtual
machines). Because of the constantly changing nature of application container technologies,
readers are encouraged to take advantage of other resources, including those listed in this
document, for more current and detailed information.

Trademark Information
All registered trademarks or trademarks belong to their respective organizations.

iii

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

Executive Summary
Operating system (OS) virtualization provides a separate virtualized view of the OS to each
application, thereby keeping each application isolated from all others on the server. Each
application can only see and affect itself. Recently, OS virtualization has become increasingly
popular due to advances in its ease of use and a greater focus on developer agility as a key
benefit. Today’s OS virtualization technologies are primarily focused on providing a portable,
reusable, and automatable way to package and run applications (apps). The terms application
container or simply container are frequently used to refer to these technologies.

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

The purpose of the document is to explain the security concerns associated with container
technologies and make practical recommendations for addressing those concerns when planning
for, implementing, and maintaining containers. Many of the recommendations are specific to a
particular component or tier within the container technology architecture, which is depicted in
Figure 1.

Figure 1: Container Technology Architecture Tiers and Components

Organizations should follow these recommendations to help ensure the security of their container
technology implementations and usage:
Tailor the organization’s operational culture and technical processes to support the new
way of developing, running, and supporting applications made possible by containers.
The introduction of container technologies might disrupt the existing culture and software
development methodologies within the organization. Traditional development practices, patching
techniques, and system upgrade processes might not directly apply to a containerized
environment, and it is important that employees are willing to adapt to a new model. Staff should
be encouraged to embrace the recommended practices for securely building and operating apps
within containers, as covered in this guide, and the organization should be willing to rethink
existing procedures to take advantage of containers. Education and training covering both the
technology and the operational approach should be offered to anyone involved in the software
development lifecycle.

iv

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

Use container-specific host OSs instead of general-purpose ones to reduce attack surfaces.
A container-specific host OS is a minimalist OS explicitly designed to only run containers, with
all other services and functionality disabled, and with read-only file systems and other hardening
practices employed. When using a container-specific host OS, attack surfaces are typically much
smaller than they would be with a general-purpose host OS, so there are fewer opportunities to
attack and compromise a container-specific host OS. Accordingly, whenever possible,
organizations should use container-specific host OSs to reduce their risk. However, it is
important to note that container-specific host OSs will still have vulnerabilities over time that
require remediation.
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

Only group containers with the same purpose, sensitivity, and threat posture on a single
host OS kernel to allow for additional defense in depth.
While most container platforms do an effective job of isolating containers from each other and
from the host OS, it may be an unnecessary risk to run apps of different sensitivity levels
together on the same host OS. Segmenting containers by purpose, sensitivity, and threat posture
provides additional defense in depth. By grouping containers in this manner, organizations make
it more difficult for an attacker who compromises one of the groups to expand that compromise
to other groups. This increases the likelihood that compromises will be detected and contained
and also ensures that any residual data, such as caches or local volumes mounted for temp files,
stays within its security zone.
In larger-scale environments with hundreds of hosts and thousands of containers, this grouping
must be automated to be practical to operationalize. Fortunately, container technologies typically
include some notion of being able to group apps together, and container security tools can use
attributes like container names and labels to enforce security policies across them.
Adopt container-specific vulnerability management tools and processes for images to
prevent compromises.
Traditional vulnerability management tools make many assumptions about host durability and
app update mechanisms and frequencies that are fundamentally misaligned with a containerized
model. For example, they often assume that a given server runs a consistent set of apps over
time, but different application containers may actually be run on different servers at any given
time based on resource availability. Further, traditional tools are often unable to detect
vulnerabilities within containers, leading to a false sense of safety. Organizations should use
tools that take the declarative, step-by-step build approach and immutable nature of containers
and images into their design to provide more actionable and reliable results.
These tools and processes should take both image software vulnerabilities and configuration
settings into account. Organizations should adopt tools and processes to validate and enforce
compliance with secure configuration best practices for images. This should include having
centralized reporting and monitoring of the compliance state of each image, and preventing noncompliant images from being run.

v

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

Consider using hardware-based countermeasures to provide a basis for trusted computing.
Security should extend across all tiers of the container technology. The current way of
accomplishing this is to base security on a hardware root of trust, such as the industry standard
Trusted Platform Module (TPM). Within the hardware root of trust are stored measurements of
the host’s firmware, software, and configuration data. Validating the current measurements
against the stored measurements before booting the host provides assurance that the host can be
trusted. The chain of trust rooted in hardware can be extended to the OS kernel and the OS
components to enable cryptographic verification of boot mechanisms, system images, container
runtimes, and container images. Trusted computing provides a secure way to build, run,
orchestrate, and manage containers.
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

Use container-aware runtime defense tools.
Deploy and use a dedicated container security solution capable of preventing, detecting, and
responding to threats aimed at containers during runtime. Traditional security solutions, such as
intrusion prevention systems (IPSs) and web application firewalls (WAFs), often do not provide
suitable protection for containers. They may not be able to operate at the scale of containers,
manage the rate of change in a container environment, and have visibility into container activity.
Utilize a container-native security solution that can monitor the container environment and
provide precise detection of anomalous and malicious activity within it.

vi

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

Table of Contents
Executive Summary ..................................................................................................... iv
1

Introduction ............................................................................................................ 1
1.1 Purpose and Scope ........................................................................................ 1
1.2 Document Structure ........................................................................................ 1

2

Introduction to Application Containers ................................................................ 3
2.1 Basic Concepts for Application Virtualization and Containers ......................... 3

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

2.2 Containers and the Host Operating System .................................................... 5
2.3 Container Technology Architecture ................................................................. 7
2.3.1 Image Creation, Testing, and Accreditation.......................................... 9
2.3.2 Image Storage and Retrieval ................................................................ 9
2.3.3 Container Deployment and Management ........................................... 10
2.4 Container Uses ............................................................................................. 11
3

Major Risks for Core Components of Container Technologies ....................... 13
3.1 Image Risks .................................................................................................. 13
3.1.1 Image vulnerabilities ........................................................................... 13
3.1.2 Image configuration defects ............................................................... 13
3.1.3 Embedded malware............................................................................ 14
3.1.4 Embedded clear text secrets .............................................................. 14
3.1.5 Use of untrusted images..................................................................... 14
3.2 Registry Risks ............................................................................................... 14
3.2.1 Insecure connections to registries ...................................................... 14
3.2.2 Stale images in registries ................................................................... 14
3.2.3 Insufficient authentication and authorization restrictions .................... 14
3.3 Orchestrator Risks ........................................................................................ 15
3.3.1 Unbounded administrative access ...................................................... 15
3.3.2 Unauthorized access .......................................................................... 15
3.3.3 Poorly separated inter-container network traffic ................................. 15
3.3.4 Mixing of workload sensitivity levels ................................................... 16
3.3.5 Orchestrator node trust....................................................................... 16
3.4 Container Risks ............................................................................................ 16
3.4.1 Vulnerabilities within the runtime software.......................................... 16
vii

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

3.4.2 Unbounded network access from containers...................................... 16
3.4.3 Insecure container runtime configurations .......................................... 17
3.4.4 App vulnerabilities .............................................................................. 17
3.4.5 Rogue containers ............................................................................... 17
3.5 Host OS Risks .............................................................................................. 17
3.5.1 Large attack surface ........................................................................... 17
3.5.2 Shared kernel ..................................................................................... 18
3.5.3 Host OS component vulnerabilities .................................................... 18
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

3.5.4 Improper user access rights ............................................................... 18
3.5.5 Host OS file system tampering ........................................................... 18
4

Countermeasures for Major Risks ...................................................................... 19
4.1 Image Countermeasures .............................................................................. 19
4.1.1 Image vulnerabilities ........................................................................... 19
4.1.2 Image configuration defects ............................................................... 19
4.1.3 Embedded malware............................................................................ 20
4.1.4 Embedded clear text secrets .............................................................. 20
4.1.5 Use of untrusted images..................................................................... 20
4.2 Registry Countermeasures ........................................................................... 21
4.2.1 Insecure connections to registries ...................................................... 21
4.2.2 Stale images in registries ................................................................... 21
4.2.3 Insufficient authentication and authorization restrictions .................... 21
4.3 Orchestrator Countermeasures .................................................................... 22
4.3.1 Unbounded administrative access ...................................................... 22
4.3.2 Unauthorized access .......................................................................... 22
4.3.3 Poorly separated inter-container network traffic ................................. 22
4.3.4 Mixing of workload sensitivity levels ................................................... 23
4.3.5 Orchestrator node trust....................................................................... 24
4.4 Container Countermeasures ......................................................................... 24
4.4.1 Vulnerabilities within the runtime software.......................................... 24
4.4.2 Unbounded network access from containers...................................... 24
4.4.3 Insecure container runtime configurations .......................................... 25
4.4.4 App vulnerabilities .............................................................................. 25

viii

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

4.4.5 Rogue containers ............................................................................... 26
4.5 Host OS Countermeasures ........................................................................... 26
4.5.1 Large attack surface ........................................................................... 26
4.5.2 Shared kernel ..................................................................................... 27
4.5.3 Host OS component vulnerabilities .................................................... 27
4.5.4 Improper user access rights ............................................................... 27
4.5.5 Host file system tampering ................................................................. 27
4.6 Hardware Countermeasures ......................................................................... 28
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

5

Container Threat Scenario Examples................................................................. 30
5.1 Exploit of a Vulnerability within an Image...................................................... 30
5.2 Exploit of the Container Runtime .................................................................. 30
5.3 Running a Poisoned Image ........................................................................... 30

6

Container Technology Life Cycle Security Considerations ............................. 32
6.1 Initiation Phase ............................................................................................. 32
6.2 Planning and Design Phase .......................................................................... 32
6.3 Implementation Phase .................................................................................. 33
6.4 Operations and Maintenance Phase ............................................................. 34
6.5 Disposition Phase ......................................................................................... 35

7

Conclusion ........................................................................................................... 36
List of Appendices

Appendix A— NIST Resources for Securing Non-Core Components .................... 38
Appendix B— NIST SP 800-53 and NIST Cybersecurity Framework Security
Controls Related to Container Technologies ........................................................... 39
Appendix C— Acronyms and Abbreviations ............................................................ 46
Appendix D— Glossary .............................................................................................. 48
Appendix E— References ........................................................................................... 50
List of Tables and Figures
Figure 1: Container Technology Architecture Tiers and Components .............................iv
Figure 2: Virtual Machine and Container Deployments ................................................... 5
Figure 3: Container Technology Architecture Tiers, Components, and Lifecycle Phases 8
Table 1: NIST Resources for Securing Non-Core Components .................................... 38
ix

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

Table 2: Security Controls from NIST SP 800-53 for Container Technology Security ... 39
Table 3: NIST SP 800-53 Controls Supported by Container Technologies ................... 43
Table 4: NIST Cybersecurity Framework Subcategories Supported by Container
Technologies .......................................................................................................... 43

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

x

NIST SP 800-190

1

Introduction

1.1

Purpose and Scope

APPLICATION CONTAINER SECURITY GUIDE

The purpose of the document is to explain the security concerns associated with application
container technologies and make practical recommendations for addressing those concerns when
planning for, implementing, and maintaining containers. Some aspects of containers may vary
among technologies, but the recommendations in this document are intended to apply to most or
all application container technologies.

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

All forms of virtualization other than application containers, such as virtual machines, are
outside the scope of this document.
In addition to application container technologies, the term “container” is used to refer to concepts
such as software that isolates enterprise data from personal data on mobile devices, and software
that may be used to isolate applications from each other on desktop operating systems. While
these may share some attributes with application container technologies, they are out of scope for
this document.
This document assumes readers are already familiar with securing the technologies supporting
and interacting with application container technologies. These include the following:
•
•
•

The layers under application container technologies, including hardware, hypervisors,
and operating systems;
The administrative tools that use the applications within the containers; and
The administrator endpoints used to manage the applications within the containers and
the containers themselves.

Appendix A contains pointers to resources with information on securing these technologies.
Sections 3 and 4 offer additional information on security considerations for container-specific
operating systems. All further discussion of securing the technologies listed above is out of scope
for this document.
1.2

Document Structure

The remainder of this document is organized into the following sections and appendices:
•
•
•
•
•
•

Section 2 introduces containers, including their technical capabilities, technology
architectures, and uses.
Section 3 explains the major risks for the core components of application container
technologies.
Section 4 recommends countermeasures for the risks identified in Section 3.
Section 5 defines threat scenario examples for containers.
Section 6 presents actionable information for planning, implementing, operating, and
maintaining container technologies.
Section 7 provides the conclusion for the document.

1

NIST SP 800-190

•
•
•
•
•

APPLICATION CONTAINER SECURITY GUIDE

Appendix A lists NIST resources for securing non-core components of container
technologies.
Appendix B lists the NIST Special Publication 800-53 security controls and NIST
Cybersecurity Framework subcategories that are most pertinent to application container
technologies, explaining the relevancy of each.
Appendix C provides an acronym and abbreviation list for the document.
Appendix D presents a glossary of selected terms from the document.
Appendix E contains a list of references for the document.

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

2

NIST SP 800-190

2

APPLICATION CONTAINER SECURITY GUIDE

Introduction to Application Containers

This section provides an introduction to containers for server applications (apps). First, it defines
the basic concepts for application virtualization and containers needed to understand the rest of
the document. Next, this section explains how containers interact with the operating system they
run on top of. The next portion of the section illustrates the overall architecture of container
technologies, defining all the major components typically found in a container implementation
and explaining the workflows between components. The last part of the section describes
common uses for containers.
2.1

Basic Concepts for Application Virtualization and Containers

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

NIST Special Publication (SP) 800-125 [1] defines virtualization as “the simulation of the
software and/or hardware upon which other software runs.” Virtualization has been in use for
many years, but it is best known for enabling cloud computing. In cloud environments, hardware
virtualization is used to run many instances of operating systems (OSs) on a single physical
server while keeping each instance separate. This allows more efficient use of hardware and
supports multi-tenancy.
In hardware virtualization, each OS instance interacts with virtualized hardware. Another form of
virtualization known as operating system virtualization has a similar concept; it provides
multiple virtualized OSs above a single actual OS kernel. This approach is often called an OS
container, and various implementations of OS containers have existed since the early 2000s,
starting with Solaris Zone and FreeBSD jails. 1 Support initially became available in Linux in
2008 with the Linux Container (LXC) technology built into nearly all modern distributions. OS
containers are different from the application containers that are the topic of this guide because
OS containers are designed to provide an environment that behaves much like a normal OS in
which multiple apps and services may co-exist.
Recently, application virtualization has become increasingly popular due to advances in its ease
of use and a greater focus on developer agility as a key benefit. In application virtualization, the
same shared OS kernel is exposed virtually to multiple discrete apps. OS components keep each
app instance isolated from all others on the server. In this case, each app sees only the OS and
itself, and is isolated from other apps that may be running on this same OS kernel.
The key difference between OS virtualization and application virtualization is that with
application virtualization, each virtual instance typically runs only a single app. Today’s
application virtualization technologies are primarily focused on providing a portable, reusable,
and automatable way to package and run apps. The terms application container or simply
container are frequently used to refer to these technologies. The term is meant as an analogy to
shipping containers, which provide a standardized way of grouping disparate contents together
while isolating them from each other.

1

For more information on the concept of jails, see https://www.freebsd.org/doc/handbook/jails.html.

3

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

Unlike traditional app architectures, which often divide an app into a few tiers (e.g., web, app,
and database) and have a server or VM for each tier, container architectures often have an app
divided into many more components, each with a single well-defined function and typically
running in its own container(s). Each app component runs in a separate container. In application
container technologies, sets of containers that work together to compose an app are referred to as
microservices. With this approach, app deployment is more flexible and scalable. Development
is also simpler because functionality is more self-contained. However, there are many more
objects to manage and secure, which may cause problems for app management and security tools
and processes.

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

Most application container technologies implement the concept of immutability. In other words,
the containers themselves should be operated as stateless entities that are deployed but not
changed. 2 When a running container needs to be upgraded or have its contents changed, it is
simply destroyed and replaced with a new container that has the updates. This enables
developers and support engineers to make and push changes to apps at a much faster pace.
Organizations may go from deploying a new version of their app every quarter, to deploying new
components weekly or daily. Immutability is a fundamental operational difference between
containers and hardware virtualization. Traditional VMs are typically run as stateful entities that
are deployed, reconfigured, and upgraded throughout their life. Legacy security tools and
processes often assume largely static operations and may need to be adjusted to adapt to the rate
of change in containerized environments.
The immutable nature of containers also has implications for data persistence. Rather than
intermingling the app with the data it uses, containers stress the concept of isolation. Data
persistence should be achieved not through simple writes to the container root file system, but
instead by using external, persistent data stores such as databases or cluster-aware persistent
volumes. The data containers use should be stored outside of the containers themselves so that
when the next version of an app replaces the containers running the existing version, all data is
still available to the new version.
Modern container technologies have largely emerged along with the adoption of development
and operations (DevOps) practices that seek to increase the integration between building and
running apps, emphasizing close coordination between development and operational teams. 3 The
portable and declarative nature of containers is particularly well suited to these practices because
they allow an organization to have great consistency between development, test, and production
environments. Organizations often utilize continuous integration processes to put their apps into
containers directly in the build process itself, such that from the very beginning of the app’s
lifecycle, there is guaranteed consistency of its runtime environment. Container images—
packages containing the files required to run containers—are typically designed to be portable
across machines and environments, so that an image created in a development lab can be easily
moved to a test lab for evaluation, then copied into a production environment to run without
needing to make any modifications. The downside of this is that the security tools and processes

2

3

Note that while containers make immutability practical and realistic, they do not require it, so organizations need to adapt
their operational practices to take advantage of it.
This document refers to tasks performed by DevOps personas. The references to these personas are focused on the types of
job tasks being performed, not on strict titles or team organizational structures.

4

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

used to protect containers should not make assumptions about specific cloud providers, host OSs,
network topologies, or other aspects of the container runtime environment which may frequently
change. Even more critically, security should be consistent across all these environments and
throughout the app lifecycle from development to test to production.
Recently, projects such as Docker [2] and rkt [3] have provided additional functionality designed
to make OS component isolation features easier to use and scale. Container technologies are also
available on the Windows platform beginning with Windows Server 2016. The fundamental
architecture of all these implementations is consistent enough so that this document can discuss
containers in detail while remaining implementation agnostic.
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

2.2

Containers and the Host Operating System

Explaining the deployment of apps within containers is made easier by comparing it with the
deployment of apps within virtual machines (VMs) from hardware virtualization technologies,
which many readers are already familiar with. Figure 2 shows the VM deployment on the left, a
container deployment without VMs (installed on “bare metal”) in the middle, and a container
deployment that runs within a VM on the right.

Figure 2: Virtual Machine and Container Deployments

Both VMs and containers allow multiple apps to share the same physical infrastructure, but they
use different methods of separation. VMs use a hypervisor that provides hardware-level isolation
of resources across VMs. Each VM sees its own virtual hardware and includes a complete guest
OS in addition to the app and its data. VMs allow different OSs, such as Linux and Windows, to
share the same physical hardware.
With containers, multiple apps share the same OS kernel instance but are segregated from each
other. The OS kernel is part of what is called the host operating system. The host OS sits below
the containers and provides OS capabilities to them. Containers are OS-family specific; a Linux
host can only run containers built for Linux, and a Windows host can only run Windows
5

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

containers. Also, a container built for one OS family should run on any recent OS from that
family.

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

There are two general categories of host OSs used for running containers. General-purpose OSs
like Red Hat Enterprise Linux, Ubuntu, and Windows Server can be used for running many
kinds of apps and can have container-specific functionality added to them. Container-specific
OSs, like CoreOS Container Linux [4], Project Atomic [5], and Google Container-Optimized OS
[6] are minimalistic OSs explicitly designed to only run containers. They typically do not come
with package managers, they have only a subset of the core administration tools, and they
actively discourage running apps outside containers. Often, a container-specific OS uses a readonly file system design to reduce the likelihood of an attacker being able to persist data within it,
and it also utilizes a simplified upgrade process since there is little concern around app
compatibility.
Every host OS used for running containers has binaries that establish and maintain the
environment for each container, also known as the container runtime. The container runtime
coordinates multiple OS components that isolate resources and resource usage so that each
container sees its own dedicated view of the OS and is isolated from other containers running
concurrently. Effectively, the containers and the host OS interact through the container runtime.
The container runtime also provides management tools and application programming interfaces
(APIs) to allow DevOps personnel and others to specify how to run containers on a given host.
The runtime eliminates the need to manually create all the necessary configurations and
simplifies the process of starting, stopping, and operating containers. Examples of runtimes
include Docker [2], rkt [3], and the Open Container Initiative Daemon [7].
Examples of technical capabilities the container runtime ensures the host OS provides include
the following:
•

•

Namespace isolation limits which resources a container may interact with. This includes
file systems, network interfaces, interprocess communications, host names, user
information, and processes. Namespace isolation ensures that apps and processes inside a
container only see the physical and virtual resources allocated to that container. For
example, if you run ‘ps –A’ inside a container running Apache on a host with many other
containers running other apps, you would only see httpd listed in the results. Namespace
isolation provides each container with its own networking stack, including unique
interfaces and IP addresses. Containers on Linux use technologies like masked process
identities to achieve namespace isolation, whereas on Windows, object namespaces are
used.
Resource allocation limits how much of a host’s resources a given container can
consume. For example, if your host OS has 10 gigabytes (GB) of total memory, you may
wish to allocate 1 GB each to nine separate containers. No container should be able to
interfere with the operations of another container, so resource allocation ensures that each
container can only utilize the amount of resources assigned to it. On Linux, this is

6

NIST SP 800-190

•

APPLICATION CONTAINER SECURITY GUIDE

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

accomplished primarily with control groups (cgroups) 4, whereas on Windows job objects
serve a similar purpose.
Filesystem virtualization allows multiple containers to share the same physical storage
without the ability to access or alter the storage of other containers. While arguably
similar to namespace isolation, filesystem virtualization is called out separately because it
also often involves optimizations to ensure that containers are efficiently using the host’s
storage through techniques like copy-on-write. For example, if multiple containers using
the same image are running Apache on a single host, filesystem virtualization ensures
that there is only one copy of the httpd binary stored on disk. If one of the containers
modifies files within itself, only the specifically changed bits will be written to disk, and
those changes will only be visible to the container that executed them. On Linux, these
capabilities are provided by technologies like the Advanced Multi-Layered Unification
Filesystem (AUFS), whereas on Windows they are an extension of the NT File System
(NTFS).

The technical capabilities of containers vary by host OS family. Containers are fundamentally a
mechanism to give each app a unique view of a single OS, so the tools for achieving this
separation are largely OS family-dependent. For example, the methods used to isolate processes
from each other differ between Linux and Windows. However, while the underlying
implementation may be different, commonly used container runtimes provide a common
interface format that largely abstracts these differences from users.
While containers provide a strong degree of isolation, they do not offer as clear and concrete of a
security boundary as a VM. Because containers share the same kernel and can be run with
varying capabilities and privileges on a host, the degree of segmentation between them is far less
than that provided to VMs by a hypervisor. Thus, carelessly configured environments can result
in containers having the ability to interact with each other and the host far more easily and
directly than multiple VMs on the same host.
Although containers are sometimes thought of as the next phase of virtualization, surpassing
hardware virtualization, the reality for most organizations is less about revolution than evolution.
Containers and hardware virtualization not only can, but very frequently do, coexist well and
actually enhance each other’s capabilities. VMs provide many benefits, such as strong isolation,
OS automation, and a wide and deep ecosystem of solutions. Organizations do not need to make
a choice between containers and VMs. Instead, organizations can continue to use VMs to deploy,
partition, and manage their hardware, while using containers to package their apps and utilize
each VM more efficiently.
2.3

Container Technology Architecture

Figure 3 shows the five tiers of the container technology architecture:

4

cgroups are collections of processes that can be managed independently, giving the kernel the software-based ability to
meter subsystems such as memory, processor usage, and disk I/O. Administrators can control these subsystems either
manually or programmatically.

7

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

1. Developer systems (generate images and send them to testing and accreditation)
2. Testing and accreditation systems (validate and verify the contents of images, sign
images, and send images to the registry)
3. Registries (store images and distribute images to the orchestrator upon request)
4. Orchestrators (convert images into containers and deploy containers to hosts)
5. Hosts (run and stop containers as directed by the orchestrator)

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

Figure 3: Container Technology Architecture Tiers, Components, and Lifecycle Phases

Although there are many administrator system personas involved in the overall process, the
figure depicts only the administrator systems for the internal registry and the orchestrator.
The systems in gray (developer systems, testing and accreditation system, and administrator
systems) are outside the scope of the container technology architecture, but they do have
important interactions with it. In most organizations that use containers, the development and test
environments also leverage containers, and this consistency is one of the key benefits of using
containers. This document does not focus on systems in these environments because the
recommendations for securing them are largely the same as those for the production
environment. The systems in green (internal registry, external registry, and orchestrator) are core
components of a container technology architecture. Finally, the systems in orange (hosts with
containers) are where the containers are used.
Another way to understand the container technology architecture is to consider the container
lifecycle phases, which are depicted at the bottom of Figure 3. The three phases are discussed in
more detail below.
Because organizations are typically building and deploying many different apps at once, these
lifecycle phases often occur concurrently within the same organization and should not be seen as
progressive stages of maturity. Instead, think of them as cycles in an engine that is continuously
running. In this metaphor, each app is a cylinder within the engine, and different apps may be at
different phases of this lifecycle at the same time.
8

NIST SP 800-190

2.3.1

APPLICATION CONTAINER SECURITY GUIDE

Image Creation, Testing, and Accreditation

In the first phase of the container lifecycle, an app’s components are built and placed into an
image (or perhaps into multiple images). An image is a package that contains all the files
required to run a container. For example, an image to run Apache would include the httpd binary,
along with associated libraries and configuration files. An image should only include the
executables and libraries required by the app itself; all other OS functionality is provided by the
OS kernel within the underlying host OS. Images often use techniques like layering and copy-onwrite (in which shared master images are read only and changes are recorded to separate files) to
minimize their size on disk and improve operational efficiency.
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

Because images are built in layers, the underlying layer upon which all other components are
added is often called the base layer. Base layers are typically minimalistic distributions of
common OSs like Ubuntu and Windows Nano Server with the OS kernel omitted. Users begin
building their full images by starting with one of these base layers, then adding application
frameworks and their own custom code to develop a fully deployable image of their unique app.
Container runtimes support using images from within the same OS family, even if the specific
host OS version is dissimilar. For example, a Red Hat host running Docker can run images
created on any Linux base layer, such as Alpine or Ubuntu. However, it cannot run images
created with a Windows base layer.
The image creation process is managed by developers responsible for packaging an app for
handoff to testing. Image creation typically uses build management and automation tools, such as
Jenkins [8] and TeamCity [9], to assist with what is called the “continuous integration” process.
These tools take the various libraries, binaries, and other components of an app, perform testing
on them, and then assemble images out of them based on the developer-created manifest that
describes how to build an image for the app.
Most container technologies have a declarative way of describing the components and
requirements for the app. For example, an image for a web server would include not only the
executables for the web server, but also some machine-parseable data to describe how the web
server should run, such as the ports it listens on or the configuration parameters it uses.
After image creation, organizations typically perform testing and accreditation. For example, test
automation tools and personnel would use the images built to validate the functionality of the
final form application, and security teams would perform accreditation on these same images.
The consistency of building, testing, and accrediting exactly the same artifacts for an app is one
of the key operational and security benefits of containers.
2.3.2

Image Storage and Retrieval

Images are typically stored in central locations to make it easy to control, share, find, and reuse
them across hosts. Registries are services that allow developers to easily store images as they are
created, tag and catalog images for identification and version control to aid in discovery and
reuse, and find and download images that others have created. Registries may be self-hosted or
consumed as a service. Examples of registries include Amazon EC2 Container Registry [10],
Docker Hub [11], Docker Trusted Registry [12], and Quay Container Registry [13].
9

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

Registries provide APIs that enable automating common image-related tasks. For example,
organizations may have triggers in the image creation phase that automatically push images to a
registry once tests pass. The registry may have further triggers that automate the deployment of
new images once they have been added. This automation enables faster iteration on projects with
more consistent results.
Once stored in a registry, images can be easily pulled and then run by DevOps personas across
any environment in which they run containers. This is another example of the portability benefits
of containers; image creation may occur in a public cloud provider, which pushes an image to a
registry hosted in a private cloud, which is then used to distribute images for running the app in a
third location.
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

2.3.3

Container Deployment and Management

Tools known as orchestrators enable DevOps personas or automation working on their behalf to
pull images from registries, deploy those images into containers, and manage the running
containers. This deployment process is what actually results in a usable version of the app,
running and ready to respond to requests. When an image is deployed into a container, the image
itself is not changed, but instead a copy of it is placed within the container and transitioned from
being a dormant set of app code to a running instance of the app. Examples of orchestrators are
Kubernetes [14], Mesos [15], and Docker Swarm [16].
Note that a small, simple container implementation could omit a full-fledged orchestrator.
Orchestrators may also be circumvented or unnecessary in other circumstances. For example, a
host could directly contact a registry in order to pull an image from it for a container runtime. To
simplify the discussions in this publication, the use of an orchestrator will be assumed.
The abstraction provided by an orchestrator allows a DevOps persona to simply specify how
many containers need to be running a given image and what resources, such as memory,
processing, and disk need to be allocated to each. The orchestrator knows the state of each host
within the cluster, including what resources are available for each host, and determines which
containers will run on which hosts. The orchestrator then pulls the required images from the
registry and runs them as containers with the designated resources.
Orchestration tools are also responsible for monitoring container resource consumption, job
execution, and machine health across hosts. Depending on its configuration, an orchestrator may
automatically restart containers on new hosts if the hosts they were initially running on failed.
Many orchestrators enable cross-host container networking and service discovery. Most
orchestrators also include a software-defined networking (SDN) component known as an overlay
network that can be used to isolate communication between apps that share the same physical
network.
When apps in containers need to be updated, the existing containers are not changed, but rather
they are destroyed and new containers created from updated images. This is a key operational
difference with containers: the baseline software from the initial deployment should not change
over time, and updates are done by replacing the entire image at once. This approach has
significant potential security benefits because it enables organizations to build, test, validate, and
10

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

deploy exactly the same software in exactly the same configuration in each phase. As updates are
made to apps, organizations can ensure that the most recent versions are used, typically by
leveraging orchestrators. Orchestrators are usually configured to pull the most up-to-date version
of an image from the registry so that the app is always up-to-date. This “continuous delivery”
automation enables developers to simply build a new version of the image for their app, test the
image, push it to the registry, and then rely on the automation tools to deploy it to the target
environment.

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

This means that all vulnerability management, including patches and configuration settings, is
typically taken care of by the developer when building a new image version. With containers,
developers are largely responsible for the security of apps and images instead of the operations
team. This change in responsibilities often requires much greater coordination and cooperation
among personnel than was previously necessary. Organizations adopting containers should
ensure that clear process flows and team responsibilities are established for each stakeholder
group.
Container management includes security management and monitoring. However, security
controls designed for non-container environments are often not well suited for use with
containers. For example, consider security controls that take IP addresses into account. This
works well for VMs and bare metal servers with static IP addresses that remain the same for
months or years. Conversely, containers are typically allocated IP addresses by orchestrators, and
because containers are created and destroyed much more frequently than VMs, these IP
addresses change frequently over time as well. This makes it difficult or impossible to protect
containers using security techniques that rely on static IP addresses, such as firewall rulesets
filtering traffic based on IP address. Additionally, a container network can include
communications between containers on the same node, across different nodes, and even across
clouds.
2.4

Container Uses

Like any other technology, containers are not a panacea. They are a valuable tool for many
scenarios, but are not necessarily the best choice for every scenario. For example, an
organization with a large base of legacy off-the-shelf software is unlikely to be able to take
advantage of containers for running most of that software since the vendors may not support it.
However, most organizations will have multiple valuable uses for containers. Examples include:
•

•

Agile development, where apps are frequently updated and deployed. The portability and
declarative nature of containers makes these frequent updates more efficient and easier to
test. This allows organizations to accelerate their innovation and deliver software more
quickly. This also allows vulnerabilities in app code to be fixed and the updated software
tested and deployed much faster.
Environmental consistency and compartmentalization, where developers can have
identical yet separate environments for building, testing, and running the app. Containers
give developers the ability to run the entirety of an exact copy of a production app locally
on a development laptop system, limiting the need for coordination and sharing of testing
environments as well as eliminating the hassle of stale testing environments.

11

NIST SP 800-190

•

•

APPLICATION CONTAINER SECURITY GUIDE

‘Scale out’ scenarios, where an app may need to have many new instances deployed or
decommissioned quickly depending on the load at a given point in time. The
immutability of containers makes it easier to reliably scale out instances, knowing that
each instance is exactly like all the others. Further, because containers are typically
stateless, it is easier to decommission them when they are no longer needed.
Cloud-native apps, where developers can build for a microservices architecture from the
beginning, ensuring more efficient iteration of the app and simplified deployment.

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

Containers provide additional benefits; for example, they can increase the effectiveness of build
pipelines due to the immutable nature of container images. Containers shift the time and location
of production code installation. In non-container systems, app installation happens in production
(i.e., at server runtime), typically by running hand-crafted scripts that manage installation of app
code (e.g., programming language runtime, dependent third-party libraries, init scripts, and OS
tools) on servers. This means that any tests running in a pre-production build pipeline (and on
developers’ workstations) are not testing the actual production artifact, but a best-guess
approximation contained in the build system. This approximation of production tends to drift
from production over time, especially if the teams managing production and the build system are
different. This scenario is the embodiment of the “it works on my machine” problem.
With container technologies, the build system installs the app within the image it creates (i.e., at
compile-time). The image is an immutable snapshot of all userspace requirements of the app
(i.e., programming language runtime, dependent third-party libraries, init scripts, and OS tools).
In production the container image constructed by the build system is simply downloaded and
run. This solves the “works on my machine” problem since the developer, build system, and
production all run the same immutable artifact.
Modern container technologies often also emphasize reuse, such that a container image created
by one developer can be easily shared and reused by other developers, either within the same
organization or among other organizations. Registry services provide centralized image sharing
and discovery services to make it easy for developers to find and reuse software created by
others. This ease of use is also leading many popular software vendors and projects to use
containers as a way to make it easy for customers to find and quickly run their software. For
example, rather than directly installing an app like MongoDB on the host OS, a user can simply
run a container image of MongoDB. Further, since the container runtime isolates containers from
one another and the host OS, these apps can be run more safely and reliably, and users do not
have to worry about them disturbing the underlying host OS.

12

NIST SP 800-190

3

APPLICATION CONTAINER SECURITY GUIDE

Major Risks for Core Components of Container Technologies

This section identifies and analyzes major risks for the core components of container
technologies—images, registries, orchestrators, containers, and host OSs. Because the analysis
looks at core components only, it is applicable to most container deployments regardless of
container technology, host OS platform, or location (public cloud, private cloud, etc.) Two types
of risks are considered:

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

1. Compromise of an image or container. This risk was evaluated using the data-centric
system threat modeling approach described in NIST SP 800-154 [17]. The primary “data”
to protect is the images and containers, which may hold app files, data files, etc. The
secondary data to protect is container data within shared host resources such as memory,
storage, and network interfaces.
2. Misuse of a container to attack other containers, the host OS, other hosts, etc.
All other risks involving the core components, as well as risks involving non-core container
technology components, including developer systems, testing and accreditation systems,
administrator systems, and host hardware and virtual machine managers, are outside the scope of
this document. Appendix A contains pointers to general references for securing non-core
container technology components.
3.1
3.1.1

Image Risks
Image vulnerabilities

Because images are effectively static archive files that include all the components used to run a
given app, components within an image may be missing critical security updates or are otherwise
outdated. An image created with fully up-to-date components may be free of known
vulnerabilities for days or weeks after its creation, but at some time vulnerabilities will be
discovered in one or more image components, and thus the image will no longer be up-to-date.
Unlike traditional operational patterns in which deployed software is updated ‘in the field’ on the
hosts it runs on, with containers these updates must be made upstream in the images themselves,
which are then redeployed. Thus, a common risk in containerized environments is deployed
containers having vulnerabilities because the version of the image used to generate the containers
has vulnerabilities.
3.1.2

Image configuration defects

In addition to software defects, images may also have configuration defects. For example, an
image may not be configured with a specific user account to “run as” and thus run with greater
privileges than needed. As another example, an image may include an SSH daemon, which
exposes the container to unnecessary network risk. Much like in a traditional server or VM,
where a poor configuration can still expose a fully up-to-date system to attack, so too can a
poorly configured image increase risk even if all the included components are up-to-date.

13

NIST SP 800-190

3.1.3

APPLICATION CONTAINER SECURITY GUIDE

Embedded malware

Because images are just collections of files packaged together, malicious files could be included
intentionally or inadvertently within them. Such malware would have the same capabilities as
any other component within the image and thus could be used to attack other containers or hosts
within the environment. A possible source of embedded malware is the use of base layers and
other images provided by third parties of which the full provenance is not known.
3.1.4

Embedded clear text secrets

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

Many apps require secrets to enable secure communication between components. For example, a
web app may need a username and password to connect to a backend database. Other examples
of embedded secrets include connection strings, SSH private keys, and X.509 private keys.
When an app is packaged into an image, these secrets can be embedded directly into the image
file system. However, this practice creates a security risk because anyone with access to the
image can easily parse it to learn these secrets.
3.1.5

Use of untrusted images

One of the most common high-risk scenarios in any environment is the execution of untrusted
software. The portability and ease of reuse of containers increase the temptation for teams to run
images from external sources that may not be well validated or trustworthy. For example, when
troubleshooting a problem with a web app, a user may find another version of that app available
in an image provided by a third party. Using this externally provided image results in the same
types of risks that external software traditionally has, such as introducing malware, leaking data,
or including components with vulnerabilities.
3.2
3.2.1

Registry Risks
Insecure connections to registries

Images often contain sensitive components like an organization’s proprietary software and
embedded secrets. If connections to registries are performed over insecure channels, the contents
of images are subject to the same confidentiality risks as any other data transmitted in the clear.
There is also an increased risk of man-in-the-middle attacks that could intercept network traffic
intended for registries and steal developer or administrator credentials within that traffic, provide
fraudulent or outdated images to orchestrators, etc.
3.2.2

Stale images in registries

Because registries are typically the source location for all the images an organization deploys,
over time the set of images they store can include many vulnerable, out-of-date versions. While
these vulnerable images do not directly pose a threat simply by being stored in the registry, they
increase the likelihood of accidental deployment of a known-vulnerable version.
3.2.3

Insufficient authentication and authorization restrictions

Because registries may contain images used to run sensitive or proprietary apps and to access
sensitive data, insufficient authentication and authorization requirements can lead to intellectual
14

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

property loss and expose significant technical details about an app to an attacker. Even more
critically, because registries are typically trusted as a source of valid, approved software,
compromise of a registry can potentially lead to compromise of downstream containers and
hosts.
3.3
3.3.1

Orchestrator Risks
Unbounded administrative access

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

Historically, many orchestrators were designed with the assumption that all users interacting
with them would be administrators and those administrators should have environment-wide
control. However, in many cases, a single orchestrator may run many different apps, each
managed by different teams, and with different sensitivity levels. If the access provided to users
and groups is not scoped to their specific needs, a malicious or careless user could affect or
subvert the operation of other containers managed by the orchestrator.
3.3.2

Unauthorized access

Orchestrators often include their own authentication directory service, which may be separate
from the typical directories already in use within an organization. This can lead to weaker
account management practices and ‘orphaned’ accounts in the orchestrator because these
systems are less rigorously managed. Because many of these accounts are highly privileged
within the orchestrator, compromise of them can lead to systemwide compromise.
Containers typically use data storage volumes that are managed by the orchestration tool and are
not host specific. Because a container may run on any given node within a cluster, the data
required by the app within the container must be available to the container regardless of which
host it is running on. At the same time, many organizations manage data that must be encrypted
at rest to prevent unauthorized access.
3.3.3

Poorly separated inter-container network traffic

In most containerized environments, traffic between individual nodes is routed over a virtual
overlay network. This overlay network is typically managed by the orchestrator and is often
opaque to existing network security and management tools. For example, instead of seeing
database queries being sent from a web server container to a database container on another host,
traditional network filters would only see encrypted packets flowing between two hosts, with no
visibility into the actual container endpoints, nor the traffic being sent. Although an encrypted
overlay network provides many operational and security benefits, it can also create a security
‘blindness’ scenario in which organizations are unable to effectively monitor traffic within their
own networks.
Potentially even more critical is the risk of traffic from different apps sharing the same virtual
networks. If apps of different sensitivity levels, such as a public-facing web site and an internal
treasury management app, are using the same virtual network, sensitive internal apps may be
exposed to greater risk from network attack. For example, if the public-facing web site is
compromised, attackers may be able to use shared networks to attack the treasury app.

15

NIST SP 800-190

3.3.4

APPLICATION CONTAINER SECURITY GUIDE

Mixing of workload sensitivity levels

Orchestrators are typically focused primarily on driving the scale and density of workloads. This
means that, by default, they can place workloads of differing sensitivity levels on the same host.
For example, in a default configuration, an orchestrator may place a container running a publicfacing web server on the same host as one processing sensitive financial data, simply because
that host happens to have the most available resources at the time of deployment. In the case of a
critical vulnerability in the web server, this can put the container processing sensitive financial
data at significantly greater risk of compromise.
3.3.5

Orchestrator node trust

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

Maintenance of trust between the nodes in the environment requires special care. The
orchestrator is the most foundational node. Weak orchestrator configurations can expose the
orchestrator and all other container technology components to increased risk. Examples of
possible consequences include:
•
•
•
3.4
3.4.1

Unauthorized hosts joining the cluster and running containers
The compromise of a single cluster host implying compromise of the entire cluster—for
example, if the same key pairs used for authentication are shared across all nodes
Communications between the orchestrator and DevOps personnel, administrators, and
hosts being unencrypted and unauthenticated
Container Risks
Vulnerabilities within the runtime software

While relatively uncommon, vulnerabilities within the runtime software are particularly
dangerous if they allow ‘container escape’ scenarios in which malicious software can attack
resources in other containers and the host OS itself. An attacker may also be able to exploit
vulnerabilities to compromise the runtime software itself, and then alter that software so it allows
the attacker to access other containers, monitor container-to-container communications, etc.
3.4.2

Unbounded network access from containers

By default in most container runtimes, individual containers are able to access each other and the
host OS over the network. If a container is compromised and acting maliciously, allowing this
network traffic may expose other resources in the environment to risk. For example, a
compromised container may be used to scan the network it is connected to in order to find other
weaknesses for an attacker to exploit. This risk is related to that from poorly separated virtual
networks, as discussed in Section 3.3.3, but different because it is focused more on flows from
containers to any outbound destination, not on app “cross talk” scenarios.
Egress network access is more complex to manage in a containerized environment because so
much of the connection is virtualized between containers. Thus, traffic from one container to
another may appear simply as encapsulated packets on the network without directly indicating
the ultimate source, destination, or payload. Tools and operational processes that are not
container aware are not able to inspect this traffic or determine whether it represents a threat.
16

NIST SP 800-190

3.4.3

APPLICATION CONTAINER SECURITY GUIDE

Insecure container runtime configurations

Container runtimes typically expose many configurable options to administrators. Setting them
improperly can lower the relative security of the system. For example, on Linux container hosts,
the set of allowed system calls is often limited by default to only those required for safe
operation of containers. If this list is widened, it may expose containers and the host OS to
increased risk from a compromised container. Similarly, if a container is run in privileged mode,
it has access to all the devices on the host, thus allowing it to essentially act as part of the host
OS and impact all other containers running on it.

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

Another example of an insecure runtime configuration is allowing containers to mount sensitive
directories on the host. Containers should rarely make changes to the host OS file system and
should almost never make changes to locations that control the basic functionality of the host OS
(e.g., /boot or /etc for Linux containers, C:\Windows for Windows containers). If a compromised
container is allowed to make changes to these paths, it could be used to elevate privileges and
attack the host itself as well as other containers running on the host.
3.4.4

App vulnerabilities

Even when organizations are taking the precautions recommended in this guide, containers may
still be compromised due to flaws in the apps they run. This is not a problem with containers
themselves, but instead is just the manifestation of typical software flaws within a container
environment. For example, a containerized web app may be vulnerable to cross-site scripting
vulnerabilities, and a database front end container may be subject to Structured Query Language
(SQL) injection. When a container is compromised, it can be misused in many ways, such as
granting unauthorized access to sensitive information or enabling attacks against other containers
or the host OS.
3.4.5

Rogue containers

Rogue containers are unplanned or unsanctioned containers in an environment. This can be a
common occurrence, especially in development environments, where app developers may launch
containers as a means of testing their code. If these containers are not put through the rigors of
vulnerability scanning and proper configuration, they may be more susceptible to exploits.
Rogue containers therefore pose additional risk to the organization, especially when they persist
in the environment without the awareness of development teams and security administrators.
3.5
3.5.1

Host OS Risks
Large attack surface

Every host OS has an attack surface, which is the collection of all ways attackers can attempt to
access and exploit the host OS’s vulnerabilities. For example, any network-accessible service
provides a potential entry point for attackers, adding to the attack surface. The larger the attack
surface is, the better the odds are that an attacker can find and access a vulnerability, leading to a
compromise of the host OS and the containers running on top of it.

17

NIST SP 800-190

3.5.2

APPLICATION CONTAINER SECURITY GUIDE

Shared kernel

Container-specific OSs have a much smaller attack surface than that of general-purpose OSs. For
example, they do not contain libraries and package managers that enable a general-purpose OS to
directly run database and web server apps. However, although containers provide strong
software-level isolation of resources, the use of a shared kernel invariably results in a larger
inter-object attack surface than seen with hypervisors, even for container-specific OSs. In other
words, the level of isolation provided by container runtimes is not as high as that provided by
hypervisors.
3.5.3

Host OS component vulnerabilities

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

All host OSs, even container-specific ones, provide foundational system components—for
example, the cryptographic libraries used to authenticate remote connections and the kernel
primitives used for general process invocation and management. Like any other software, these
components can have vulnerabilities and, because they exist low in the container technology
architecture, they can impact all the containers and apps that run on these hosts.
3.5.4

Improper user access rights

Container-specific OSs are typically not optimized to support multiuser scenarios since
interactive user logon should be rare. Organizations are exposed to risk when users log on
directly to hosts to manage containers, rather than going through an orchestration layer. Direct
management enables wide-ranging changes to the system and all containers on it, and can
potentially enable a user that only needs to manage a specific app’s containers to impact many
others.
3.5.5

Host OS file system tampering

Insecure container configurations can expose host volumes to greater risk of file tampering. For
example, if a container is allowed to mount sensitive directories on the host OS, that container
can then change files in those directories. These changes could impact the stability and security
of the host and all other containers running on it.

18

NIST SP 800-190

4

APPLICATION CONTAINER SECURITY GUIDE

Countermeasures for Major Risks

This section recommends countermeasures for the major risks identified in Section 3.
4.1

Image Countermeasures

4.1.1

Image vulnerabilities

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

There is a need for container technology-specific vulnerability management tools and processes.
Traditional vulnerability management tools make many assumptions about host durability and
app update mechanisms and frequencies that are fundamentally misaligned with a containerized
model. These tools are often unable to detect vulnerabilities within containers, leading to a false
sense of safety.
Organizations should use tools that take the pipeline-based build approach and immutable nature
of containers and images into their design to provide more actionable and reliable results. Key
aspects of effective tools and processes include:
1. Integration with the entire lifecycle of images, from the beginning of the build process, to
whatever registries the organization is using, to runtime.
2. Visibility into vulnerabilities at all layers of the image, not just the base layer of the
image but also application frameworks and custom software the organization is using.
Visibility should be centralized across the organization and provide flexible reporting and
monitoring views aligned with organizations’ business processes.
3. Policy-driven enforcement; organizations should be able to create “quality gates” at each
stage of the build and deployment process to ensure that only images that meet the
organization’s vulnerability and configuration policies are allowed to progress. For
example, organizations should be able to configure a rule in the build process to prevent
the progression of images that include vulnerabilities with Common Vulnerability
Scoring System (CVSS) [18] ratings above a selected threshold.
4.1.2

Image configuration defects

Organizations should adopt tools and processes to validate and enforce compliance with secure
configuration best practices. For example, images should be configured to run as non-privileged
users. Tools and processes that should be adopted include:
1. Validation of image configuration settings, including vendor recommendations and thirdparty best practices.
2. Ongoing, continuously updated, centralized reporting and monitoring of image
compliance state to identify weaknesses and risks at the organizational level.
3. Enforcement of compliance requirements by optionally preventing the running of noncompliant images.
4. Use of base layers from trusted sources only, frequent updates of base layers, and
selection of base layers from minimalistic technologies like Alpine Linux and Windows
Nano Server to reduce attack surface areas.

19

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

A final recommendation for image configuration is that SSH and other remote administration
tools designed to provide remote shells to hosts should never be enabled within containers.
Containers should be run in an immutable manner to derive the greatest security benefit from
their use. Enabling remote access to them via these tools implies a degree of change that violates
this principle and exposes them to greater risk of network-based attack. Instead, all remote
management of containers should be done through the container runtime APIs, which may be
accessed via orchestration tools, or by creating remote shell sessions to the host on which the
container is running.
4.1.3

Embedded malware

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

Organizations should continuously monitor all images for embedded malware. The monitoring
processes should include the use of malware signature sets and behavioral detection heuristics
based largely on actual “in the wild” attacks.
4.1.4

Embedded clear text secrets

Secrets should be stored outside of images and provided dynamically at runtime as needed. Most
orchestrators, such as Docker Swarm and Kubernetes, include native management of secrets.
These orchestrators not only provide secure storage of secrets and ‘just in time’ injection to
containers, but also make it much simpler to integrate secret management into the build and
deployment processes. For example, an organization could use these tools to securely provision
the database connection string into a web application container. The orchestrator can ensure that
only the web application container had access to this secret, that it is not persisted to disk, and
that anytime the web app is deployed, the secret is provisioned into it.
Organizations may also integrate their container deployments with existing enterprise secret
management systems that are already in use for storing secrets in non-container environments.
These tools typically provide APIs to retrieve secrets securely as containers are deployed, which
eliminates the need to persist them within images.
Regardless of the tool chosen, organizations should ensure that secrets are only provided to the
specific containers that require them, based on a pre-defined and administrator-controlled setting,
and that secrets are always encrypted at rest and in transit using Federal Information Processing
Standard (FIPS) 140 approved cryptographic algorithms 5 contained in validated cryptographic
modules.
4.1.5

Use of untrusted images

Organizations should maintain a set of trusted images and registries and ensure that only images
from this set are allowed to run in their environment, thus mitigating the risk of untrusted or
malicious components being deployed.
To mitigate these risks, organizations should take a multilayered approach that includes:

5

For more information on NIST-validated cryptographic implementations, see the Cryptographic Module Validation Program
(CMVP) page at https://csrc.nist.gov/groups/STM/cmvp/.

20

NIST SP 800-190

•
•
•
•
•
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

4.2

APPLICATION CONTAINER SECURITY GUIDE

Capability to centrally control exactly what images and registries are trusted in their
environment;
Discrete identification of each image by cryptographic signature, using a NIST-validated
implementation 6;
Enforcement to ensure that all hosts in the environment only run images from these
approved lists;
Validation of image signatures before image execution to ensure images are from trusted
sources and have not been tampered with; and
Ongoing monitoring and maintenance of these repositories to ensure images within them
are maintained and updated as vulnerabilities and configuration requirements change.
Registry Countermeasures

4.2.1

Insecure connections to registries

Organizations should configure their development tools, orchestrators, and container runtimes to
only connect to registries over encrypted channels. The specific steps vary between tools, but the
key goal is to ensure that all data pushed to and pulled from a registry occurs between trusted
endpoints and is encrypted in transit.
4.2.2

Stale images in registries

The risk of using stale images can be mitigated through two primary methods. First,
organizations can prune registries of unsafe, vulnerable images that should no longer be used.
This process can be automated based on time triggers and labels associated with images.
Second, operational practices should emphasize accessing images using immutable names that
specify discrete versions of images to be used. For example, rather than configuring a
deployment job to use the image called my-app, configure it to deploy specific versions of the
image, such as my-app:2.3 and my-app:2.4 to ensure that specific, known good instances of
images are deployed as part of each job.
Another option is using a “latest” tag for images and referencing this tag in deployment
automation. However, because this tag is only a label attached to the image and not a guarantee
of freshness, organizations should be cautious to not overly trust it. Regardless of whether an
organization chooses to use discrete names or to use a “latest” tag, it is critical that processes be
put in place to ensure that either the automation is using the most recent unique name or the
images tagged “latest” actually do represent the most up-to-date versions.
4.2.3

Insufficient authentication and authorization restrictions

All access to registries that contain proprietary or sensitive images should require authentication.
Any write access to a registry should require authentication to ensure that only images from
trusted entities can be added to it. For example, only allow developers to push images to the
specific repositories they are responsible for, rather than being able to update any repository.

6

For more information on NIST-validated cryptographic implementations, see the Cryptographic Module Validation Program
(CMVP) page at https://csrc.nist.gov/projects/cryptographic-module-validation-program.

21

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

Organizations should consider federating with existing accounts, such as their own or a cloud
provider’s directory service to take advantage of security controls already in place for those
accounts. All write access to registries should be audited and any read actions for sensitive
images should similarly be logged.
Registries also provide an opportunity to apply context-aware authorization controls to actions.
For example, organizations can configure their continuous integration processes to allow images
to be signed by the authorized personnel and pushed to a registry only after they have passed a
vulnerability scan and compliance assessment. Organizations should integrate these automated
scans into their processes to prevent the promotion and deployment of vulnerable or
misconfigured images.
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

4.3
4.3.1

Orchestrator Countermeasures
Unbounded administrative access

Especially because of their wide-ranging span of control, orchestrators should use a least
privilege access model in which users are only granted the ability to perform the specific actions
on the specific hosts, containers, and images their job roles require. For example, members of the
test team should only be given access to the images used in testing and the hosts used for running
them, and should only be able to manipulate the containers they created. Test team members
should have limited or no access to containers used in production.
4.3.2

Unauthorized access

Access to cluster-wide administrative accounts should be tightly controlled as these accounts
provide ability to affect all resources in the environment. Organizations should use strong
authentication methods, such as requiring multifactor authentication instead of just a password.
Organizations should implement single sign-on to existing directory systems where applicable.
Single sign-on simplifies the orchestrator authentication experience, makes it easier for users to
use strong authentication credentials, and centralizes auditing of access, making anomaly
detection more effective.
Traditional approaches for data at rest encryption often involve the use of host-based capabilities
that may be incompatible with containers. Thus, organizations should use tools for encrypting
data used with containers that allow the data to be accessed properly from containers regardless
of the node they are running on. Such encryption tools should provide the same barriers to
unauthorized access and tampering, using the same cryptographic approaches as those defined in
NIST SP 800-111 [19].
4.3.3

Poorly separated inter-container network traffic

Orchestrators should be configured to separate network traffic into discrete virtual networks by
sensitivity level. While per-app segmentation is also possible, for most organizations and use
cases, simply defining networks by sensitivity level provides sufficient mitigation of risk with a
manageable degree of complexity. For example, public-facing apps can share a virtual network,

22

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

internal apps can use another, and communication between the two should occur through a small
number of well-defined interfaces.
4.3.4

Mixing of workload sensitivity levels

Orchestrators should be configured to isolate deployments to specific sets of hosts by sensitivity
levels. The particular approach for implementing this varies depending on the orchestrator in use,
but the general model is to define rules that prevent high sensitivity workloads from being placed
on the same host as those running lower sensitivity workloads. This can be accomplished
through the use of host ‘pinning’ within the orchestrator or even simply by having separate,
individually managed clusters for each sensitivity level.
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

While most container runtime environments do an effective job of isolating containers from each
other and from the host OS, in some cases it may be an unnecessary risk to run apps of different
sensitivity levels together on the same host OS. Segmenting containers by purpose, sensitivity,
and threat posture provides additional defense in depth. Concepts such as application tiering and
network and host segmentation should be taken into consideration when planning app
deployments. For example, suppose a host is running containers for both a financial database and
a public-facing blog. While normally the container runtime will effectively isolate these
environments from each other, there is also a shared responsibility amongst the DevOps teams
for each app to operate them securely and eliminate unnecessary risk. If the blog app were to be
compromised by an attacker, there would be far fewer layers of defense to protect the database if
the two apps are running on the same host.
Thus, a best practice is to group containers together by relative sensitivity and to ensure that a
given host kernel only runs containers of a single sensitivity level. This segmentation may be
provided by using multiple physical servers, but modern hypervisors also provide strong enough
isolation to effectively mitigate these risks. From the previous example, this may mean that the
organization has two sensitivity levels for their containers. One is for financial apps and the
database is included in that group. The other is for web apps and the blog is included in that
group. The organization would then have two pools of VMs that would each host containers of a
single severity level. For example, the host called vm-financial may host the containers running
the financial database as well as the tax reporting software, while a host called vm-web may host
the blog and the public website.
By segmenting containers in this manner, it will be much more difficult for an attacker who
compromises one of the segments to expand that compromise to other segments. An attacker
who compromises a single server would have limited capabilities to perform reconnaissance and
attacks on other containers of a similar sensitivity level and not have any additional access
beyond it. This approach also ensures that any residual data, such as caches or local volumes
mounted for temp files, stays within the data’s security zone. From the previous example, this
zoning would ensure that any financial data cached locally and residually after container
termination would never be available on a host running an app at a lower sensitivity level.
In larger-scale environments with hundreds of hosts and thousands of containers, this
segmentation must be automated to be practical to operationalize. Fortunately, common
orchestration platforms typically include some notion of being able to group apps together, and
23

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

container security tools can use attributes like container names and labels to enforce security
policies across them. In these environments, additional layers of defense in depth beyond simple
host isolation may also leverage this segmentation. For example, an organization may implement
separate hosting zones or networks to not only isolate these containers within hypervisors but
also to isolate their network traffic more discretely such that traffic for apps of one sensitivity
level is separate from that of other sensitivity levels.
4.3.5

Orchestrator node trust

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

Orchestration platforms should be configured to provide features that create a secure
environment for all the apps they run. Orchestrators should ensure that nodes are securely
introduced to the cluster, have a persistent identity throughout their lifecycle, and can also
provide an accurate inventory of nodes and their connectivity states. Organizations should ensure
that orchestration platforms are designed specifically to be resilient to compromise of individual
nodes without compromising the overall security of the cluster. A compromised node must be
able to be isolated and removed from the cluster without disrupting or degrading overall cluster
operations. Finally, organizations should choose orchestrators that provide mutually
authenticated network connections between cluster members and end-to-end encryption of intracluster traffic. Because of the portability of containers, many deployments may occur across
networks organizations do not directly control, so a secure-by-default posture is particularly
important for this scenario.
4.4
4.4.1

Container Countermeasures
Vulnerabilities within the runtime software

The container runtime must be carefully monitored for vulnerabilities, and when problems are
detected, they must be remediated quickly. A vulnerable runtime exposes all containers it
supports, as well as the host itself, to potentially significant risk. Organizations should use tools
to look for Common Vulnerabilities and Exposures (CVEs) vulnerabilities in the runtimes
deployed, to upgrade any instances at risk, and to ensure that orchestrators only allow
deployments to properly maintained runtimes.
4.4.2

Unbounded network access from containers

Organizations should control the egress network traffic sent by containers. At minimum, these
controls should be in place at network borders, ensuring containers are not able to send traffic
across networks of differing sensitivity levels, such as from an environment hosting secure data
to the internet, similar to the patterns used for traditional architectures. However, the virtualized
networking model of inter-container traffic poses an additional challenge.
Because containers deployed across multiple hosts typically communicate over a virtual,
encrypted network, traditional network devices are often blind to this traffic. Additionally,
containers are typically assigned dynamic IP addresses automatically when deployed by
orchestrators, and these addresses change continuously as the app is scaled and load balanced.
Thus, ideally, organizations should use a combination of existing network level devices and
more app-aware network filtering. App-aware tools should be able to not just see the intercontainer traffic, but also to dynamically generate the rules used to filter this traffic based on the
24

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

specific characteristics of the apps running in the containers. This dynamic rule management is
critical due to the scale and rate of change of containerized apps, as well as their ephemeral
networking topology.
Specifically, app-aware tools should provide the following capabilities:
•
•
•
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

4.4.3

Automated determination of proper container networking surfaces, including both
inbound ports and process-port bindings;
Detection of traffic flows both between containers and other network entities, over both
‘on the wire’ traffic and encapsulated traffic; and
Detection of network anomalies, such as unexpected traffic flows within the
organization’s network, port scanning, or outbound access to potentially dangerous
destinations.
Insecure container runtime configurations

Organizations should automate compliance with container runtime configuration standards.
Documented technical implementation guidance, such as the Center for Internet Security Docker
Benchmark [20], provides details on options and recommended settings, but operationalizing this
guidance depends on automation. Organizations can use a variety of tools to “scan” and assess
their compliance at a point in time, but such approaches do not scale. Instead, organizations
should use tools or processes that continuously assess configuration settings across the
environment and actively enforce them.
Additionally, mandatory access control (MAC) technologies like SELinux [21] and AppArmor
[22] provide enhanced control and isolation for containers running Linux OSs. For example,
these technologies can be used to provide additional segmentation and assurance that containers
should only be able to access specific file paths, processes, and network sockets, further
constraining the ability of even a compromised container to impact the host or other containers.
MAC technologies provide protection at the host OS layer, ensuring that only specific files,
paths, and processes are accessible to containerized apps. Organizations are encouraged to use
the MAC technologies provided by their host OSs in all container deployments.
Secure computing (seccomp) 7 profiles are another mechanism that can be used to constrain the
system-level capabilities containers are allocated at runtime. Common container runtimes like
Docker include default seccomp profiles that drop system calls that are unsafe and typically
unnecessary for container operation. Additionally, custom profiles can be created and passed to
container runtimes to further limit their capabilities. At a minimum, organizations should ensure
that containers are run with the default profiles provided by their runtime and should consider
using additional profiles for high-risk apps.
4.4.4

App vulnerabilities

Existing host-based intrusion detection processes and tools are often unable to detect and prevent
attacks within containers due to the differing technical architecture and operational practices

7

For more information on seccomp, see https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt.

25

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

previously discussed. Organizations should implement additional tools that are container aware
and designed to operate at the scale and change rate typically seen with containers. These tools
should be able to automatically profile containerized apps using behavioral learning and build
security profiles for them to minimize human interaction. These profiles should then be able to
prevent and detect anomalies at runtime, including events such as:

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

•
•
•
•
•
•
•

Invalid or unexpected process execution,
Invalid or unexpected system calls,
Changes to protected configuration files and binaries,
Writes to unexpected locations and file types,
Creation of unexpected network listeners,
Traffic sent to unexpected network destinations, and
Malware storage or execution.

Containers should also be run with their root filesystems in read-only mode. This approach
isolates writes to specifically defined directories, which can then be more easily monitored by
the aforementioned tools. Furthermore, using read-only filesystems makes the containers more
resilient to compromise since any tampering is isolated to these specific locations and can be
easily separated from the rest of the app.
4.4.5

Rogue containers

Organizations should institute separate environments for development, test, production, and
other scenarios, each with specific controls to provide role-based access control for container
deployment and management activities. All container creation should be associated with
individual user identities and logged to provide a clear audit trail of activity. Further,
organizations are encouraged to use security tools that can enforce baseline requirements for
vulnerability management and compliance prior to allowing an image to be run.
4.5
4.5.1

Host OS Countermeasures
Large attack surface

For organizations using container-specific OSs, the threats are typically more minimal to start
with since the OSs are specifically designed to host containers and have other services and
functionality disabled. Further, because these optimized OSs are designed specifically for
hosting containers, they typically feature read-only file systems and employ other hardening
practices by default. Whenever possible, organizations should use these minimalistic OSs to
reduce their attack surfaces and mitigate the typical risks and hardening activities associated with
general-purpose OSs.
Organizations that cannot use a container-specific OS should follow the guidance in NIST SP
800-123, Guide to General Server Security [23] to reduce the attack surface of their hosts as
much as possible. For example, hosts that run containers should only run containers and not run
other apps, like a web server or database, outside of containers. The host OS should not run
unnecessary system services, such as a print spooler, that increase its attack and patching surface
areas. Finally, hosts should be continuously scanned for vulnerabilities and updates applied
26

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

quickly, not just to the container runtime but also to lower-level components such as the kernel
that containers rely upon for secure, compartmentalized operation.
4.5.2

Shared kernel

In addition to grouping container workloads onto hosts by sensitivity level, organizations should
not mix containerized and non-containerized workloads on the same host instance. For example,
if a host is running a web server container, it should not also run a web server (or any other app)
as a regularly installed component directly within the host OS. Keeping containerized workloads
isolated to container-specific hosts makes it simpler and safer to apply countermeasures and
defenses that are optimized for protecting containers.
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

4.5.3

Host OS component vulnerabilities

Organizations should implement management practices and tools to validate the versioning of
components provided for base OS management and functionality. Even though containerspecific OSs have a much more minimal set of components than general-purpose OSs, they still
do have vulnerabilities and still require remediation. Organizations should use tools provided by
the OS vendor or other trusted organizations to regularly check for and apply updates to all
software components used within the OS. The OS should be kept up to date not only with
security updates, but also the latest component updates recommended by the vendor. This is
particularly important for the kernel and container runtime components as newer releases of
these components often add additional security protections and capabilities beyond simply
correcting vulnerabilities. Some organizations may choose to simply redeploy new OS instances
with the necessary updates, rather than updating existing systems. This approach is also valid,
although it often requires more sophisticated operational practices.
Host OSs should be operated in an immutable manner with no data or state stored uniquely and
persistently on the host and no application-level dependencies provided by the host. Instead, all
app components and dependencies should be packaged and deployed in containers. This enables
the host to be operated in a nearly stateless manner with a greatly reduced attack surface.
Additionally, it provides a more trustworthy way to identify anomalies and configuration drift.
4.5.4

Improper user access rights

Though most container deployments rely on orchestrators to distribute jobs across hosts,
organizations should still ensure that all authentication to the OS is audited, login anomalies are
monitored, and any escalation to perform privileged operations is logged. This makes it possible
to identify anomalous access patterns such as an individual logging on to a host directly and
running privileged commands to manipulate containers.
4.5.5

Host file system tampering

Ensure that containers are run with the minimal set of file system permissions required. Very
rarely should containers mount local file systems on a host. Instead, any file changes that
containers need to persist to disk should be made within storage volumes specifically allocated
for this purpose. In no case should containers be able to mount sensitive directories on a host’s
file system, especially those containing configuration settings for the operating system.
27

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

Organizations should use tools that can monitor what directories are being mounted by
containers and prevent the deployment of containers that violate these policies.
4.6

Hardware Countermeasures

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

Software-based security is regularly defeated, as acknowledged in NIST SP 800-164 [24]. NIST
defines trusted computing requirements in NIST SPs 800-147 [25], 800-155 [26], and 800-164.
To NIST, “trusted” means that the platform behaves as it is expected to: the software inventory is
accurate, the configuration settings and security controls are in place and operating as they
should, and so on. “Trusted” also means that it is known that no unauthorized person has
tampered with the software or its configuration on the hosts. Hardware root of trust is not a
concept unique to containers, but container management and security tools can leverage
attestations for the rest of the container technology architecture to ensure containers are being
run in secure environments.
The currently available way to provide trusted computing is to:
1. Measure firmware, software, and configuration data before it is executed using a Root of
Trust for Measurement (RTM).
2. Store those measurements in a hardware root of trust, like a trusted platform module
(TPM).
3. Validate that the current measurements match the expected measurements. If so, it can be
attested that the platform can be trusted to behave as expected.
TPM-enabled devices can check the integrity of the machine during the boot process, enabling
protection and detection mechanisms to function in hardware, at pre-boot, and in the secure boot
process. This same trust and integrity assurance can be extended beyond the OS and the boot
loader to the container runtimes and apps. Note that while standards are being developed to
enable verification of hardware trust by users of cloud services, not all clouds expose this
functionality to their customers. In cases where technical verification is not provided,
organizations should address hardware trust requirements as part of their service agreements with
cloud providers.
The increasing complexity of systems and the deeply embedded nature of today’s threats means
that security should extend across all container technology components, starting with the
hardware and firmware. This would form a distributed trusted computing model and provide the
most trusted and secure way to build, run, orchestrate, and manage containers.
The trusted computing model should start with measured/secure boot, which provides a verified
system platform, and build a chain of trust rooted in hardware and extended to the bootloaders,
the OS kernel, and the OS components to enable cryptographic verification of boot mechanisms,
system images, container runtimes, and container images. For container technologies, these
techniques are currently applicable at the hardware, hypervisor, and host OS layers, with early
work in progress to apply these to container-specific components.

28

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

As of this writing, NIST is collaborating with industry partners to build reference architectures
based on commercial off-the-shelf products that demonstrate the trusted computing model for
container environments. 8

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190
8

For more information on previous NIST efforts in this area, see NIST IR 7904, Trusted Geolocation in the Cloud: Proof of
Concept Implementation [27].

29

NIST SP 800-190

5

APPLICATION CONTAINER SECURITY GUIDE

Container Threat Scenario Examples

To illustrate the effectiveness of the recommended countermeasures from Section 4, consider the
following threat scenario examples for containers.
5.1

Exploit of a Vulnerability within an Image

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

One of the most common threats to a containerized environment is application-level
vulnerabilities in the software within containers. For example, an organization may build an
image based on a common web app. If that app has a vulnerability, it may be used to subvert the
app within the container. Once compromised, the attacker may be able to map other systems in
the environment, attempt to elevate privileges within the compromised container, or abuse the
container for use in attacks on other systems (such as acting as a file dropper or command and
control endpoint).
Organizations that adopt the recommended countermeasures would have multiple layers of
defense in depth against such threats:
1. Detecting the vulnerable image early in the deployment process and having controls in
place to prevent vulnerable images from being deployed would prevent the vulnerability
from being introduced into production.
2. Container-aware network monitoring and filtering would detect anomalous connections
to other containers during the attempt to map other systems.
3. Container-aware process monitoring and malware detection would detect the running of
invalid or unexpected malicious processes and the data they introduce into the
environment.
5.2

Exploit of the Container Runtime

While an uncommon occurrence, if a container runtime were compromised, an attacker could
utilize this access to attack all the containers on the host and even the host itself.
Relevant mitigations for this threat scenario include:
1. The usage of mandatory access control capabilities can provide additional barriers to
ensure that process and file system activity is still segmented within the defined
boundaries.
2. Segmentation of workloads ensures that the scope of the compromise would be limited to
apps of a common sensitivity level that are sharing the host. For example, a compromised
runtime on a host only running web apps would not impact runtimes on other hosts
running containers for financial apps.
3. Security tools that can report on the vulnerability state of runtimes and prevent the
deployment of images to vulnerable runtimes can prevent workloads from running there.
5.3

Running a Poisoned Image

Because images are easily sourced from public locations, often with unknown provenance, an
attacker may embed malicious software within images known to be used by a target. For
30

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

example, if an attacker determines that a target is active on a discussion board about a particular
project and uses images provided by that project’s web site, the attacker may seek to craft
malicious versions of these images for use in an attack.
Relevant mitigations include:

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

1. Ensuring that only vetted, tested, validated, and digitally signed images are allowed to be
uploaded to an organization’s registries.
2. Ensuring that only trusted images are allowed to run, which will prevent images from
external, unvetted sources from being used.
3. Automatically scanning images for vulnerabilities and malware, which may detect
malicious code such as rootkits embedded within an image.
4. Implementing runtime controls that limit the container's ability to abuse resources,
escalate privileges, and run executables.
5. Using container-level network segmentation to limit the “blast radius” of what the
poisoned image might do.
6. Validating a container runtime operates following least-privilege and least-access
principles.
7. Building a threat profile of the container's runtime. This includes, but is not limited to,
processes, network calls, and filesystem changes.
8. Validating the integrity of images before runtime by leveraging hashes and digital
signatures.
9. Restrict images from being run based on rules establishing acceptable vulnerability
severity levels. For example, prevent images with vulnerabilities that have a Moderate or
higher CVSS rating from being run.

31

NIST SP 800-190

6

APPLICATION CONTAINER SECURITY GUIDE

Container Technology Life Cycle Security Considerations

It is critically important to carefully plan before installing, configuring, and deploying container
technologies. This helps ensure that the container environment is as secure as possible and is in
compliance with all relevant organizational policies, external regulations, and other
requirements.

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

There is a great deal of similarity in the planning and implementation recommendations for
container technologies and virtualization solutions. Section 5 of NIST SP 800-125 [1] already
contains a full set of recommendations for virtualization solutions. Instead of repeating all those
recommendations here, this section points readers to that document and states that, besides the
exceptions listed below, organizations should apply all the NIST SP 800-125 Section 5
recommendations in a container technology context. For example, instead of creating a
virtualization security policy, create a container technology security policy.
This section of the document lists exceptions and additions to the NIST SP 800-125 Section 5
recommendations, grouped by the corresponding phase in the planning and implementation life
cycle.
6.1

Initiation Phase

Organizations should consider how other security policies may be affected by containers and
adjust these policies as needed to take containers into consideration. For example, policies for
incident response (especially forensics) and vulnerability management may need to be adjusted
to take into account the special requirements of containers.
The introduction of container technologies might disrupt the existing culture and software
development methodologies within the organization. To take full advantage of the benefits
containers can provide, the organization’s processes should be tailored to support this new way
of developing, running, and supporting apps. Traditional development practices, patching
techniques, and system upgrade processes might not directly apply to a containerized
environment, and it is important that the employees within the organization are willing to adapt
to a new model. New processes can consider and address any potential culture shock that is
introduced by the technology shift. Education and training can be offered to anyone involved in
the software development lifecycle to allow people to become comfortable with the new way to
build, ship, and run apps.
6.2

Planning and Design Phase

The primary container-specific consideration for the planning and design phase is forensics.
Because containers mostly build on components already present in OSs, the tools and techniques
for performing forensics in a containerized environment are mostly an evolution of existing
practices. The immutable nature of containers and images can actually improve forensic
capabilities because the demarcation between what an image should do and what actually
occurred during an incident is clearer. For example, if a container launched to run a web server
suddenly starts a mail relay, it is very clear that the new process was not part of the original

32

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

image used to create the container. On traditional platforms, with less separation between the OS
and apps, making this differentiation can be much more difficult.
Organizations that are familiar with process, memory, and disk incident response activities will
find them largely similar when working with containers. However, there are some differences to
keep in mind as well.

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

Containers typically use a layered file system that is virtualized from the host OS. Directly
examining paths on the hosts typically only reveals the outer boundary of these layers, not the
files and data within them. Thus, when responding to incidents in containerized environments,
users should identify the specific storage provider in use and understand how to properly
examine its contents offline.
Containers are typically connected to each other using virtualized overlay networks. These
overlay networks frequently use encapsulation and encryption to allow the traffic to be routed
over existing networks securely. However, this means that when investigating incidents on
container networks, particularly when doing any live packet analysis, the tools used must be
aware of these virtualized networks and understand how to extract the embedded IP frames from
within them for parsing with existing tools.
Process and memory activity within containers is largely similar to that which would be observed
within traditional apps, but with different parent processes. For example, container runtimes may
spawn all processes within containers in a nested fashion in which the runtime is the top-level
process with first-level descendants per container and second-level descendants for each process
within the container. For example:
├─containerd─┬───┬───[container1─┬─bash]
│
│
│
└─8*[{thread}]]
│
│
├─container2────┬─start.sh─┬─mongod───22*[{mongod}]
│
│
│
│
└─node─┬─4*[{V8 WorkerThread}]
│
│
│
│
└─5*[{node}]
│
│
│
└─8*[{thread}]
│
│
├─container3────┬─mysqld───28*[{mysqld}]
│
│
│
└─8*[{thread}]

6.3

Implementation Phase

After the container technology has been designed, the next step is to implement and test a
prototype of the design before putting the solution into production. Be aware that container
technologies do not offer the types of introspection capabilities that VM technologies do.
NIST SP 800-125 [1] cites several aspects of virtualization technologies that should be evaluated
before production deployment, including authentication, connectivity and networking, app
functionality, management, performance, and the security of the technology itself. In addition to
those, it is important to also evaluate the container technology’s isolation capabilities. Ensure
that processes within the container can access all resources they are permitted to and cannot view
or access any other resources.

33

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

Implementation may require new security tools that are specifically focused on containers and
cloud-native apps and that have visibility into their operations that traditional tools lack. Finally,
deployment may also include altering the configuration of existing security controls and
technologies, such as security event logging, network management, code repositories, and
authentication servers both to work with containers directly and to integrate with these new
container security tools.

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

When the prototype evaluation has been completed and the container technology is ready for
production usage, containers should initially be used for a small number of apps. Problems that
occur are likely to affect multiple apps, so it is helpful to identify these problems early on so they
can be addressed before further deployment. A phased deployment also provides time for
developers and IT staff (e.g., system administrators, help desk) to be trained on its usage and
support.
6.4

Operations and Maintenance Phase

Operational processes that are particularly important for maintaining the security of container
technologies, and thus should be performed regularly, include updating all images and
distributing those updated images to containers to take the place of older images. Other security
best practices, such as performing vulnerability management and updates for other supporting
layers like hosts and orchestrators, are also key ongoing operational tasks. Container security and
monitoring tools should similarly be integrated with existing security information and event
management (SIEM) tools to ensure container-related events flow through the same tools and
processes used to provide security throughout the rest of the environment.
If and when security incidents occur within a containerized environment, organizations should be
prepared to respond with processes and tools that are optimized for the unique aspects of
containers. The core guidance outlined in NIST SP 800-61, Computer Security Incident
Handling Guide [28], is very much applicable for containerized environments as well. However,
organizations adopting containers should ensure they enhance their responses for some of the
unique aspects of container security.
•
•

•

Because containerized apps may be run by a different team than the traditional operations
team, organizations should ensure that whatever teams are responsible for container
operations are brought into the incident response plan and understand their role in it.
As discussed throughout this document, the ephemeral and automated nature of container
management may not be aligned with the asset management policies and tools an
organization has traditionally used. Incident response teams must be able to know the
roles, owners, and sensitivity levels of containers, and be able to integrate this data into
their process.
Clear procedures should be defined to respond to container related incidents. For
example, if a particular image is being exploited, but that image is in use across hundreds
of containers, the response team may need to shut down all of these containers to stop the
attack. While single vulnerabilities have long been able to cause problems across many
systems, with containers, the response may require rebuilding and redeploying a new
image widely, rather than installing a patch to existing systems. This change in response

34

NIST SP 800-190

•

6.5

APPLICATION CONTAINER SECURITY GUIDE

may involve different teams and approvals and should be understood and practiced ahead
of time.
As discussed previously, logging and other forensic data may be stored differently in a
containerized environment. Incident response teams should be familiar with the different
tools and techniques required to gather data and have documented processes specifically
for these environments.
Disposition Phase

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

The ability for containers to be deployed and destroyed automatically based on the needs of an
app allows for highly efficient systems but can also introduce some challenges for records
retention, forensic, and event data requirements. Organizations should make sure that appropriate
mechanisms are in place to satisfy their data retention policies. Examples of issues that should be
addressed are how containers and images should be destroyed, what data should be extracted
from a container before disposal and how that data extraction should be performed, how
cryptographic keys used by a container should be revoked or deleted, etc.
Data stores and media that support the containerized environment should be included in any
disposal plans developed by the organization.

35

NIST SP 800-190

7

APPLICATION CONTAINER SECURITY GUIDE

Conclusion

Containers represent a transformational change in the way apps are built and run. They do not
necessitate dramatically new security best practices; on the contrary, most important aspects of
container security are refinements of well-established techniques and principles. This document
has updated and expanded general security recommendations to take the risks particular to
container technologies into account.
This document has already discussed some of the differences between securing containers and
securing the same apps in VMs. It is useful to summarize the guidance in this document around
those points.
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

In container environments there are many more entities, so security processes and tools must be
able to scale accordingly. Scale does not just mean the total number of objects supported in a
database, but also how effectively and autonomously policy can be managed. Many
organizations struggle with the burden of managing security across hundreds of VMs. As
container-centric architectures become the norm and these organizations are responsible for
thousands or tens of thousands of containers, their security practices should emphasize
automation and efficiency to keep up.
With containers there is a much higher rate of change, moving from updating an app a few times
a year to a few times a week or even a day. What used to be acceptable to do manually no longer
is. Automation is not just important to deal with the net number of entities, but also with how
frequently those entities change. Being able to centrally express policy and have software
manage enforcement of it across the environment is vital. Organizations that adopt containers
should be prepared to manage this frequency of change. This may require fundamentally new
operational practices and organizational evolution.
The use of containers shifts much of the responsibility for security to developers, so
organizations should ensure their developers have all the information, skills, and tools they need
to make sound decisions. Also, security teams should be enabled to actively enforce quality
throughout the development cycle. Organizations that are successful at this transition gain
security benefit in being able to respond to vulnerabilities faster and with less operational burden
than ever before.
Security must be as portable as the containers themselves, so organizations should adopt
techniques and tools that are open and work across platforms and environments. Many
organizations will see developers build in one environment, test in another, and deploy in a third,
so having consistency in assessment and enforcement across these is key. Portability is also not
just environmental but also temporal. Continuous integration and deployment practices erode the
traditional walls between phases of the development and deployment cycle, so organizations
need to ensure consistent, automated security practices across creation of the image, storage of
the image in registries, and running of the images in containers.
Organizations that navigate these changes can begin to leverage containers to actually improve
their overall security. The immutability and declarative nature of containers enables
organizations to begin realizing the vision of more automated, app-centric security that requires
36

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

minimal manual involvement and that updates itself as the apps change. Containers are an
enabling capability in organizations moving from reactive, manual, high-cost security models to
those that enable better scale and efficiency, thus lowering risk.

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

37

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

Appendix A—NIST Resources for Securing Non-Core Components

This appendix lists NIST resources for securing non-core container technology components,
including developer systems, testing and accreditation systems, administrator systems, and host
hardware and virtual machine managers. Many more resources are available from other
organizations.
Table 1: NIST Resources for Securing Non-Core Components
Resource Name and URI

Applicability

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

SP 800-40 Revision 3, Guide to Enterprise Patch Management Technologies
https://doi.org/10.6028/NIST.SP.800-40r3

All IT products and systems

SP 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring
Your Own Device (BYOD) Security
https://doi.org/10.6028/NIST.SP.800-46r2

Client operating systems,
client apps

SP 800-53 Revision 4, Security and Privacy Controls for Federal Information
Systems and Organizations
https://doi.org/10.6028/NIST.SP.800-53r4

All IT products and systems

SP 800-70 Revision 3, National Checklist Program for IT Products: Guidelines for
Checklist Users and Developers
https://doi.org/10.6028/NIST.SP.800-70r3

Server operating systems,
client operating systems,
server apps, client apps

SP 800-83 Revision 1, Guide to Malware Incident Prevention and Handling for
Desktops and Laptops
https://doi.org/10.6028/NIST.SP.800-83r1

Client operating systems,
client apps

SP 800-123, Guide to General Server Security
https://doi.org/10.6028/NIST.SP.800-123

Servers

SP 800-124 Revision 1, Guidelines for Managing the Security of Mobile Devices in
the Enterprise
https://doi.org/10.6028/NIST.SP.800-124r1

Mobile devices

SP 800-125, Guide to Security for Full Virtualization Technologies
https://doi.org/10.6028/NIST.SP.800-125

Hypervisors and virtual
machines

SP 800-125A, Security Recommendations for Hypervisor Deployment (Second
Draft) https://csrc.nist.gov/publications/detail/sp/800-125A/draft

Hypervisors and virtual
machines

SP 800-125B, Secure Virtual Network Configuration for Virtual Machine (VM)
Protection
https://doi.org/10.6028/NIST.SP.800-125B

Hypervisors and virtual
machines

SP 800-147, BIOS Protection Guidelines
https://doi.org/10.6028/NIST.SP.800-147

Client hardware

SP 800-155, BIOS Integrity Measurement Guidelines
https://csrc.nist.gov/publications/detail/sp/800-155/draft

Client hardware

SP 800-164, Guidelines on Hardware-Rooted Security in Mobile Devices
https://csrc.nist.gov/publications/detail/sp/800-164/draft

Mobile devices

38

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

Appendix B—NIST SP 800-53 and NIST Cybersecurity Framework Security Controls
Related to Container Technologies

The security controls from NIST SP 800-53 Revision 4 [29] that are most important for container
technologies are listed in Table 2.
Table 2: Security Controls from NIST SP 800-53 for Container Technology Security
NIST SP 800-53 Control

Related Controls

References

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

AC-2, Account
Management

AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20,
AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3,
MA-4, MA-5, PL-4, SC-13

AC-3, Access Enforcement

AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19,
AC-20, AC-21, AC- 22, AU-9, CM-5, CM-6, CM-11, MA-3,
MA-4, MA-5, PE-3

AC-4, Information Flow
Enforcement

AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2,
SC-5, SC-7, SC-18

AC-6, Least Privilege

AC-2, AC-3, AC-5, CM-6, CM-7, PL-2

AC-17, Remote Access

AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8,
IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4

NIST SPs 800-46, 800-77,
800-113, 800-114, 800121

AT-3, Role-Based Security
Training

AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16

C.F.R. Part 5 Subpart C
(5C.F.R.930.301); NIST
SPs 800-16, 800- 50

AU-2, Audit Events

AC-6, AC-17, AU-3, AU-12, MA-4, MP-2, MP-4, SI-4

NIST SP 800-92;
https://idmanagement.gov/

AU-5, Response to Audit
Processing Failures

AU-4, SI-12

AU-6, Audit Review,
Analysis, and Reporting

AC-2, AC-3, AC-6, AC-17, AT-3, AU-7, AU-16, CA-7, CM5, CM-10, CM-11, IA-3, IA-5, IR-5, IR-6, MA-4, MP-4, PE3, PE-6, PE-14, PE-16, RA-5, SC-7, SC-18, SC-19, SI-3,
SI-4, SI-7

AU-8, Time Stamps

AU-3, AU-12

AU-9, Protection of Audit
Information

AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6

AU-12, Audit Generation

AC-3, AU-2, AU-3, AU-6, AU-7

CA-9, Internal System
Connections

AC-3, AC-4, AC-18, AC-19, AU-2, AU-12, CA- 7, CM-2,
IA-3, SC-7, SI-4

CM-2, Baseline
Configuration

CM-3, CM-6, CM-8, CM-9, SA-10, PM-5, PM-7

NIST SP 800-128

CM-3, Configuration
Change Control

CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI- 2, SI12

NIST SP 800-128

CM-4, Security Impact
Analysis

CA-2, CA-7, CM-3, CM-9, SA-4, SA-5, SA-10, SI-2

NIST SP 800-128

CM-5, Access Restrictions
for Change

AC-3, AC-6, PE-3

CM-6, Configuration
Settings

AC-19, CM-2, CM-3, CM-7, SI-4

39

OMB Memoranda 07-11,
07-18, 08-22; NIST SPs
800-70, 800-128;
https://nvd.nist.gov;
https://checklists.nist.gov;
https://www.nsa.gov

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

NIST SP 800-53 Control

Related Controls

References

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

CM-7, Least Functionality

AC-6, CM-2, RA-5, SA-5, SC-7

DoD Instruction 8551.01

CM-9, Configuration
Management Plan

CM-2, CM-3, CM-4, CM-5, CM-8, SA-10

NIST SP 800-128

CP-2, Contingency Plan

AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP2, MP-4, MP-5, PM-8, PM-11

Federal Continuity
Directive 1; NIST SP 80034

CP-9, Information System
Backup

CP-2, CP- 6, MP-4, MP-5, SC-13

NIST SP 800-34

CP-10, Information System
Recovery and
Reconstitution

CA-2, CA-6, CA-7, CP-2, CP-6, CP-7, CP-9, SC-24

Federal Continuity
Directive 1; NIST SP 80034

IA-2, Identification and
Authentication
(Organizational Users)

AC-2, AC-3, AC-14, AC-17, AC-18, IA-4, IA-5, IA-8

HSPD-12; OMB
Memoranda 04-04, 06-16,
11-11; FIPS 201; NIST
SPs 800-63, 800-73, 80076, 800-78; FICAM
Roadmap and
Implementation Guidance;
https://idmanagement.gov/

IA-4, Identifier
Management

AC-2, IA-2, IA-3, IA-5, IA-8, SC-37

FIPS 201; NIST SPs 80073, 800-76, 800-78

IA-5, Authenticator
Management

AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5,
PS-6, SC-12, SC-13, SC-17, SC-28

OMB Memoranda 04-04,
11-11; FIPS 201; NIST
SPs 800-63, 800-73, 80076, 800-78; FICAM
Roadmap and
Implementation Guidance;
https://idmanagement.gov/

IR-1, Incident Response
Policy and Procedures

PM-9

NIST SPs 800-12, 800-61,
800-83, 800-100

IR-4, Incident Handling

AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5,
SC-7, SI-3, SI-4, SI-7

EO 13587; NIST SP 80061

MA-2, Controlled
Maintenance

CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2

MA-4, Nonlocal
Maintenance

AC- 2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-4, IA-5,
IA-8, MA-2, MA-5, MP-6, PL-2, SC-7, SC-10, SC-17

FIPS 140-2, 197, 201;
NIST SPs 800-63, 800-88;
CNSS Policy 15

PL-2, System Security
Plan

AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7,
CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7,
PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17

NIST SP 800-18

PL-4, Rules of Behavior

AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20,
AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8,
SA-5

NIST SP 800-18

RA-2, Security
Categorization

CM-8, MP-4, RA-3, SC-7

FIPS 199; NIST SPs 80030, 800-39, 800-60

RA-3, Risk Assessment

RA-2, PM-9

OMB Memorandum 0404; NIST SPs 800-30,
800-39;
https://idmanagement.gov/

SA-10, Developer
Configuration
Management

CM-3, CM-4, CM-9, SA-12, SI-2

NIST SP 800-128

40

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

NIST SP 800-53 Control

Related Controls

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

SA-11, Developer Security
Testing and Evaluation

CA-2, CM-4, SA-3, SA-4, SA-5, SI-2

SA-15, Development
Process, Standards, and
Tools

SA-3, SA-8

SA-19, Component
Authenticity

PE-3, SA-12, SI-7

SC-2, Application
Partitioning

SA-4, SA-8, SC-3

SC-4, Information in
Shared Resources

AC-3, AC-4, MP-6

References
ISO/IEC 15408; NIST SP
800-53A;
https://nvd.nist.gov;
http://cwe.mitre.org;
http://cve.mitre.org;
http://capec.mitre.org

SC-6, Resource
Availability
SC-8, Transmission
Confidentiality and
Integrity

AC-17, PE-4

FIPS 140-2, 197; NIST
SPs 800-52, 800-77, 80081, 800-113; CNSS Policy
15; NSTISSI No. 7003

SI-2, Flaw Remediation

CA-2, CA-7, CM-3, CM-5, CM-8, MA-2, IR-4, RA-5, SA10, SA-11, SI-11

NIST SPs 800-40, 800128

SI-4, Information System
Monitoring

AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3,
SI-7

NIST SPs 800-61, 800-83,
800-92, 800-137

SI-7, Software, Firmware,
and Information Integrity

SA-12, SC-8, SC-13, SI-3

NIST SPs 800-147, 800155

The list below details the NIST Cybersecurity Framework [30] subcategories that are most
important for container technology security.
•

•

•

Identify: Asset Management
o ID.AM-3: Organizational communication and data flows are mapped
o ID.AM-5: Resources (e.g., hardware, devices, data, and software) are prioritized
based on their classification, criticality, and business value
Identify: Risk Assessment
o ID.RA-1: Asset vulnerabilities are identified and documented
o ID.RA-3: Threats, both internal and external, are identified and documented
o ID.RA-4: Potential business impacts and likelihoods are identified
o ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
o ID.RA-6: Risk responses are identified and prioritized
Protect: Access Control
o PR.AC-1: Identities and credentials are managed for authorized devices and users
o PR.AC-2: Physical access to assets is managed and protected
o PR.AC-3: Remote access is managed
o PR.AC-4: Access permissions are managed, incorporating the principles of least
privilege and separation of duties
41

NIST SP 800-190

•

•

•
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

•

•

•
•

•
•
•

APPLICATION CONTAINER SECURITY GUIDE

Protect: Awareness and Training
o PR.AT-2: Privileged users understand roles & responsibilities
o PR.AT-5: Physical and information security personnel understand roles &
responsibilities
Protect: Data Security
o PR.DS-2: Data-in-transit is protected
o PR.DS-4: Adequate capacity to ensure availability is maintained
o PR.DS-5: Protections against data leaks are implemented
o PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and
information integrity
Protect: Information Protection Processes and Procedures
o PR.IP-1: A baseline configuration of information technology/industrial control
systems is created and maintained
o PR.IP-3: Configuration change control processes are in place
o PR.IP-6: Data is destroyed according to policy
o PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery
plans (Incident Recovery and Disaster Recovery) are in place and managed
o PR.IP-12: A vulnerability management plan is developed and implemented
Protect: Maintenance
o PR.MA-1: Maintenance and repair of organizational assets is performed and logged
in a timely manner, with approved and controlled tools
o PR.MA-2: Remote maintenance of organizational assets is approved, logged, and
performed in a manner that prevents unauthorized access
Protect: Protective Technology
o PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed
in accordance with policy
o PR.PT-3: Access to systems and assets is controlled, incorporating the principle of
least functionality
Detect: Anomalies and Events
o DE.AE-2: Detected events are analyzed to understand attack targets and methods
Detect: Security Continuous Monitoring
o DE.CM-1: The network is monitored to detect potential cybersecurity events
o DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software
is performed
Respond: Response Planning
o RS.RP-1: Response plan is executed during or after an event
Respond: Analysis
o RS.AN-1: Notifications from detection systems are investigated
o RS.AN-3: Forensics are performed
Respond: Mitigation
o RS.MI-1: Incidents are contained
o RS.MI-2: Incidents are mitigated
o RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted
risks

42

NIST SP 800-190

•

APPLICATION CONTAINER SECURITY GUIDE

Recover: Recovery Planning
o RC.RP-1: Recovery plan is executed during or after an event

Table 3 lists the security controls from NIST SP 800-53 Revision 4 [29] that can be
accomplished partially or completely by using container technologies. The rightmost column
lists the sections of this document that map to each NIST SP 800-53 control.
Table 3: NIST SP 800-53 Controls Supported by Container Technologies
NIST SP 800-53
Control

Container Technology Relevancy

Related Sections of
This Document

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

CM-3, Configuration
Change Control

Images can be used to help manage change control for apps.

2.1, 2.2, 2.3, 2.4, 4.1

SC-2, Application
Partitioning

Separating user functionality from administrator functionality can
be accomplished in part by using containers or other virtualization
technologies so that the functionality is performed in different
containers.

2 (introduction), 2.3,
4.5.2

SC-3, Security
Function Isolation

Separating security functions from non-security functions can be
accomplished in part by using containers or other virtualization
technologies so that the functions are performed in different
containers.

2 (introduction), 2.3,
4.5.2

SC-4, Information in
Shared Resources

Container technologies are designed to restrict each container’s
access to shared resources so that information cannot
inadvertently be leaked from one container to another.

2 (introduction), 2.2,
2.3, 4.4

SC-6, Resource
Availability

The maximum resources available for each container can be
specified, thus protecting the availability of resources by not
allowing any container to consume excessive resources.

2.2, 2.3

SC-7, Boundary
Protection

Boundaries can be established and enforced between containers
to restrict their communications with each other.

2 (introduction), 2.2,
2.3, 4.4

SC-39, Process
Isolation

Multiple containers can run processes simultaneously on the
same host, but those processes are isolated from each other.

2 (introduction), 2.1,
2.2, 2.3, 4.4

SI-7, Software,
Firmware, and
Information Integrity

Unauthorized changes to the contents of images can easily be
detected and the altered image replaced with a known good copy.

2.3, 4.1, 4.2

SI-14, NonPersistence

Images running within containers are replaced as needed with
new image versions, so data, files, executables, and other
information stored within running images is not persistent.

2.1, 2.3, 4.1

Similar to Table 3, Table 4 lists the NIST Cybersecurity Framework [30] subcategories that can
be accomplished partially or completely by using container technologies. The rightmost column
lists the sections of this document that map to each Cybersecurity Framework subcategory.
Table 4: NIST Cybersecurity Framework Subcategories Supported by Container Technologies
Cybersecurity Framework
Subcategory
PR.DS-4: Adequate capacity to ensure
availability is maintained

Container Technology Relevancy
The maximum resources available for each
container can be specified, thus protecting the
availability of resources by not allowing any
container to consume excessive resources.

43

Related Sections
of This Document
2.2, 2.3

NIST SP 800-190

Cybersecurity Framework
Subcategory

APPLICATION CONTAINER SECURITY GUIDE

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

Container Technology Relevancy

Related Sections
of This Document

PR.DS-5: Protections against data
leaks are implemented

Container technologies are designed to restrict
each container’s access to shared resources so
that information cannot inadvertently be leaked
from one container to another.

2 (introduction), 2.2,
2.3, 4.4

PR.DS-6: Integrity checking
mechanisms are used to verify
software, firmware, and information
integrity

Unauthorized changes to the contents of images
can easily be detected and the altered image
replaced with a known good copy.

2.3, 4.1, 4.2

PR.DS-7: The development and testing
environment(s) are separate from the
production environment

Using containers makes it easier to have
separate development, testing, and production
environments because the same image can be
used in all environments without adjustments.

2.1, 2.3

PR.IP-3: Configuration change control
processes are in place

Images can be used to help manage change
control for apps.

2.1, 2.2, 2.3, 2.4, 4.1

Information on these controls and guidelines on possible implementations can be found in the
following NIST publications:
•
•
•
•
•
•
•
•
•
•
•
•
•
•

FIPS 140-2, Security Requirements for Cryptographic Modules
FIPS 197, Advanced Encryption Standard (AES)
FIPS 199, Standards for Security Categorization of Federal Information and Information
Systems
FIPS 201-2, Personal Identity Verification (PIV) of Federal Employees and Contractors
SP 800-12 Rev. 1, An Introduction to Information Security
Draft SP 800-16 Rev. 1, A Role-Based Model for Federal Information
Technology/Cybersecurity Training
SP 800-18 Rev. 1, Guide for Developing Security Plans for Federal Information Systems
SP 800-30 Rev. 1, Guide for Conducting Risk Assessments
SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems
SP 800-39, Managing Information Security Risk: Organization, Mission, and Information
System View
SP 800-40 Rev. 3, Guide to Enterprise Patch Management Technologies
SP 800-46 Rev. 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own
Device (BYOD) Security
SP 800-50, Building an Information Technology Security Awareness and Training
Program
SP 800-52 Rev. 1, Guidelines for the Selection, Configuration, and Use of Transport
Layer Security (TLS) Implementations

44

NIST SP 800-190

•
•
•

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•

APPLICATION CONTAINER SECURITY GUIDE

SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and
Organizations
SP 800-53A Rev. 4, Assessing Security and Privacy Controls in Federal Information
Systems and Organizations: Building Effective Assessment Plans
SP 800-60 Rev. 1 Vol. 1, Guide for Mapping Types of Information and Information
Systems to Security Categories
SP 800-61 Rev. 2, Computer Security Incident Handling Guide
SP 800-63 Rev. 3, Digital Identity Guidelines
SP 800-70 Rev. 3, National Checklist Program for IT Products: Guidelines for Checklist
Users and Developers
SP 800-73-4, Interfaces for Personal Identity Verification
SP 800-76-2, Biometric Specifications for Personal Identity Verification
SP 800-77, Guide to IPsec VPNs
SP 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identification
Verification (PIV)
SP 800-81-2, Secure Domain Name System (DNS) Deployment Guide
SP 800-83 Rev. 1, Guide to Malware Incident Prevention and Handling for Desktops and
Laptops
SP 800-88 Rev. 1, Guidelines for Media Sanitization
SP 800-92, Guide to Computer Security Log Management
SP 800-100, Information Security Handbook: A Guide for Managers
SP 800-113, Guide to SSL VPNs
SP 800-114 Rev. 1, User's Guide to Telework and Bring Your Own Device (BYOD)
Security
SP 800-121 Rev. 2, Guide to Bluetooth Security
SP 800-128, Guide for Security-Focused Configuration Management of Information
Systems
SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal
Information Systems and Organizations
SP 800-147, BIOS Protection Guidelines
Draft SP 800-155, BIOS Integrity Measurement Guidelines

45

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

Appendix C—Acronyms and Abbreviations

Selected acronyms and abbreviations used in this paper are defined below.

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

AES

Advanced Encryption Standard

API

Application Programming Interface

AUFS

Advanced Multi-Layered Unification Filesystem

BIOS

Basic Input/Output System

BYOD

Bring Your Own Device

cgroup

Control Group

CIS

Center for Internet Security

CMVP

Cryptographic Module Validation Program

CVE

Common Vulnerabilities and Exposures

CVSS

Common Vulnerability Scoring System

DevOps

Development and Operations

DNS

Domain Name System

FIPS

Federal Information Processing Standards

FIRST

Forum for Incident Response and Security Teams

FISMA

Federal Information Security Modernization Act

FOIA

Freedom of Information Act

GB

Gigabyte

I/O

Input/Output

IP

Internet Protocol

IPS

Intrusion Prevention System

IT

Information Technology

ITL

Information Technology Laboratory

LXC

Linux Container

MAC

Mandatory Access Control

NIST

National Institute of Standards and Technology

NTFS

NT File System

OMB

Office of Management and Budget

OS

Operating System

PIV

Personal Identity Verification

46

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

RTM

Root of Trust for Measurement

SDN

Software-Defined Networking

seccomp

Secure Computing

SIEM

Security Information and Event Management

SP

Special Publication

SQL

Structured Query Language

SSH

Secure Shell

SSL

Secure Sockets Layer

TLS

Transport Layer Security

TPM

Trusted Platform Module

URI

Uniform Resource Identifier

US

United States

USCIS

United States Citizenship and Immigration Services

VM

Virtual Machine

VPN

Virtual Private Network

WAF

Web Application Firewall

47

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

Appendix D—Glossary

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

Application
virtualization

A form of virtualization that exposes a single shared operating system
kernel to multiple discrete application instances, each of which is kept
isolated from all others on the host.

Base layer

The underlying layer of an image upon which all other components are
added.

Container

A method for packaging and securely running an application within an
application virtualization environment. Also known as an application
container or a server application container.

Container runtime

The environment for each container; comprised of binaries coordinating
multiple operating system components that isolate resources and resource
usage for running containers.

Container-specific A minimalistic host operating system explicitly designed to only run
operating system
containers.
Filesystem
virtualization

A form of virtualization that allows multiple containers to share the same
physical storage without the ability to access or alter the storage of other
containers.

General-purpose
operating system

A host operating system that can be used to run many kinds of
applications, not just applications in containers.

Host operating
system

The operating system kernel shared by multiple applications within an
application virtualization architecture.

Image

A package that contains all the files required to run a container.

Isolation

The ability to keep multiple instances of software separated so that each
instance only sees and can affect itself.

Microservice

A set of containers that work together to compose an application.

Namespace
isolation

A form of isolation that limits which resources a container may interact
with.

Operating system
virtualization

A virtual implementation of the operating system interface that can be
used to run applications written for the same operating system. [from [1]]

48

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

Orchestrator

A tool that enables DevOps personas or automation working on their
behalf to pull images from registries, deploy those images into containers,
and manage the running containers. Orchestrators are also responsible for
monitoring container resource consumption, job execution, and machine
health across hosts.

Overlay network

A software-defined networking component included in most orchestrators
that can be used to isolate communication between applications that share
the same physical network.

Registry

A service that allows developers to easily store images as they are created,
tag and catalog images for identification and version control to aid in
discovery and reuse, and find and download images that others have
created.

Resource
allocation

A mechanism for limiting how much of a host’s resources a given
container can consume.

Virtual machine

A simulated environment created by virtualization. [from [1]]

Virtualization

The simulation of the software and/or hardware upon which other
software runs. [from [1]]

49

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

Appendix E—References

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

[1]

NIST Special Publication (SP) 800-125, Guide to Security for Full Virtualization
Technologies, National Institute of Standards and Technology, Gaithersburg,
Maryland, January 2011, 35pp. https://doi.org/10.6028/NIST.SP.800-125.

[2]

Docker, https://www.docker.com/

[3]

rkt, https://coreos.com/rkt/

[4]

CoreOS Container Linux, https://coreos.com/os/docs/latest

[5]

Project Atomic, http://www.projectatomic.io

[6]

Google Container-Optimized OS, https://cloud.google.com/container-optimizedos/docs/

[7]

Open Container Initiative Daemon (OCID), https://github.com/kubernetesincubator/cri-o

[8]

Jenkins, https://jenkins.io

[9]

TeamCity, https://www.jetbrains.com/teamcity/

[10]

Amazon EC2 Container Registry (ECR), https://aws.amazon.com/ecr/

[11]

Docker Hub, https://hub.docker.com/

[12]

Docker Trusted Registry, https://hub.docker.com/r/docker/dtr/

[13]

Quay Container Registry, https://quay.io

[14]

Kubernetes, https://kubernetes.io/

[15]

Apache Mesos, http://mesos.apache.org/

[16]

Docker Swarm, https://github.com/docker/swarm

[17]

NIST Special Publication (SP) 800-154, Guide to Data-Centric System Threat
Modeling (Draft), National Institute of Standards and Technology, Gaithersburg,
Maryland, March 2016, 25pp. https://csrc.nist.gov/publications/detail/sp/800154/draft.

[18]

Common Vulnerability Scoring System v3.0: Specification Document, Forum for
Incident Response and Security Teams (FIRST).
https://www.first.org/cvss/specification-document.

50

NIST SP 800-190

APPLICATION CONTAINER SECURITY GUIDE

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-190

[19]

NIST Special Publication (SP) 800-111, Guide to Storage Encryption Technologies
for End User Devices, National Institute of Standards and Technology, Gaithersburg,
Maryland, November 2007, 40pp. https://doi.org/10.6028/NIST.SP.800-111.

[20]

CIS Docker Benchmark, Center for Internet Security (CIS).
https://www.cisecurity.org/benchmark/docker/.

[21]

Security Enhanced Linux (SELinux), https://selinuxproject.org/page/Main_Page

[22]

AppArmor, http://wiki.apparmor.net/index.php/Main_Page

[23]

NIST Special Publication (SP) 800-123, Guide to General Server Security, National
Institute of Standards and Technology, Gaithersburg, Maryland, July 2008, 53pp.
https://doi.org/10.6028/NIST.SP.800-123

[24]

NIST Special Publication (SP) 800-164, Guidelines on Hardware-Rooted Security in
Mobile Devices (Draft), National Institute of Standards and Technology,
Gaithersburg, Maryland, October 2012, 33pp.
https://csrc.nist.gov/publications/detail/sp/800-164/draft.

[25]

NIST Special Publication (SP) 800-147, BIOS Protection Guidelines, National
Institute of Standards and Technology, Gaithersburg, Maryland, April 2011, 26pp.
https://doi.org/10.6028/NIST.SP.800-147.

[26]

NIST Special Publication (SP) 800-155, BIOS Integrity Measurement Guidelines
(Draft), National Institute of Standards and Technology, Gaithersburg, Maryland,
December 2011, 47pp. https://csrc.nist.gov/publications/detail/sp/800-155/draft.

[27]

NIST Internal Report (IR) 7904, Trusted Geolocation in the Cloud: Proof of Concept
Implementation, National Institute of Standards and Technology, Gaithersburg,
Maryland, December 2015, 59 pp. https://doi.org/10.6028/NIST.IR.7904.

[28]

NIST Special Publication (SP) 800-61 Revision 2, Computer Security Incident
Handling Guide, National Institute of Standards and Technology, Gaithersburg,
Maryland, August 2012, 79 pp. https://doi.org/10.6028/NIST.SP.800-61r2.

[29]

NIST Special Publication (SP) 800-53 Revision 4, Security and Privacy Controls for
Federal Information Systems and Organizations, National Institute of Standards and
Technology, Gaithersburg, Maryland, April 2013 (including updates as of January
15, 2014), 460pp. https://doi.org/10.6028/NIST.SP.800-53r4.

[30]

Framework for Improving Critical Infrastructure Cybersecurity Version 1.0,
National Institute of Standards and Technology, Gaithersburg, Maryland, February
12, 2014. https://www.nist.gov/document-3766.

51



Source Exif Data:
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.6
Linearized                      : No
Author                          : Murugiah Souppaya
Category                        : 
Comments                        : 
Company                         : Information Technology Laboratory, NIST
Content Type Id                 : 0x0101005FDE44FF194BA34BB8C8C7A6B337FA31
Create Date                     : 2017:09:25 09:10:27-04:00
DOI Value                       : NIST.SP.800-190
Keywords                        : "application;, application, container;, application, software, packaging;, container;, container, security;, isolation;, operating, system, virtualization;, virtualization"
Manager                         : 
Modify Date                     : 2017:09:25 09:40:45-04:00
Page Header Pub Num             : 800-190
Publication Date                : September 2017
Short Title Line 1              : Application Container Security Guide
Short Title Line 2              : 
Source Modified                 : D:20170925125332
Language                        : EN-US
Tagged PDF                      : Yes
XMP Toolkit                     : Adobe XMP Core 5.6-c015 84.159810, 2016/09/10-02:41:30
Metadata Date                   : 2017:09:25 09:40:45-04:00
Creator Tool                    : Acrobat PDFMaker 15 for Word
Document ID                     : uuid:3aa6640e-4824-49ab-85ba-59079456a23e
Instance ID                     : uuid:119196b3-49e4-461c-8015-9d3833f79201
Format                          : application/pdf
Title                           : Application Container Security Guide
Description                     : Application container technologies, also known as containers, are a form of operating system virtualization combined with application software packaging. Containers provide a portable, reusable, and automatable way to package and run applications. This pu
Creator                         : Murugiah Souppaya, John Morello, Karen Scarfone
Subject                         : application; application container; application software packaging; container; container security; isolation; operating system virtualization; virtualization
Rights                          : Special Publications of the National Institute of Standards and Technology is a publication of the U.S. Government. The papers are in the public domain and are not subject to copyright in the United States. However, please pay special attention to the individual works to make sure there are no copyright restrictions indicated. Individual works may require securing other permissions from the original copyright holder.
Producer                        : Adobe PDF Library 15.0
DOI0020 Value                   : NIST.SP.800-190
Marked                          : False
Headline                        : Application container technologies, also known as containers, are a form of operating system virtualization combined with application software packaging. Containers provide a portable, reusable, and automatable way to package and run applications. This pu
Page Layout                     : OneColumn
Page Mode                       : UseOutlines
Page Count                      : 63
Warning                         : [Minor] Ignored duplicate Info dictionary
EXIF Metadata provided by EXIF.tools

Navigation menu