Guide to Containers and Compliance

Wercker is a Docker-Native CI/CD Automation platform for Kubernetes & Microservice Deployments

Twain Taylor
Twain Taylor
May 17, 2018

In traditional application environments, meeting compliance goals required paying attention to infrastructure like physical devices, unified data stores, and static networks.

Containers have changed all of that. Today, containerized apps feature ephemeral container nodes, distributed data stores, and dynamic networks. This type of infrastructure has a bearing on compliance. 

What is that bearing, you ask? I explain below by examining how two major compliance frameworks, HIPAA and PCI DSS, are impacted by containers.

 

What are HIPAA and PCI DSS?

HIPAA (Health Insurance Portability and Accountability Act) is all about the safe management and handling of sensitive ePHI data of patients. The PCI DSS (Payment Card Industry Data Security Standard) is similar legislation for the use of payment information like credit cards and billing details that users entrust organizations with. Since the data governed by these is of the highest priority, the technologies and systems that handle it should be compliant. These laws would apply to organizations that operate in the healthcare industry and any organization with payment information. These are not optional suggestions. Non-compliance with these laws will have consequences for the organization, even if out of negligence. This is why organizations need to ensure their applications are HIPAA and PCI DSS compliant.

But with containers gaining popularity as the prefered tool to build and ship applications, how do they change compliance? Let’s take a look.

 

Access control

Organizations often need to share ePHI data or cardholder data with vendors and partners (called Covered Entities in HIPAA). However, access to this data should be closely monitored and controlled. Having access control policies in place ensures that only authorized people and systems have access to the data.

The first step is to never give complete access to anyone. This is a big vulnerability and leaves the entire system at the mercy of that one person. If their account is hijacked, the entire system is compromised. Instead, you need to follow the principle of least privilege—Expose only the data required for a particular task.

With containers, SELinux (Security Enhanced Linux) provides access control at the kernel level. This is a security feature that Docker inherits from Linux. SELinux prevents access to data within containers unless you explicitly whitelist any user or application to have access to the data.

In addition, you can set container permissions at a granular level, or run containers in read-only mode. This reduces the risk of data being fully accessible to attackers in the event of account theft. These attacks are hard to spot, and are often discovered months or years later. To secure against such situations, it’s essential to restrict access to data for all users.

Containers enable tight control over every part of the system using features like SELinux and read-only mode. In this way, they help build more compliant apps and security policies.

 

Data encryption

To be compliant, confidential data needs to be encrypted in transit and at rest. This requires state-of-the-art encryption tools. The ability to manage “secrets” has recently been added to containers—basically, any confidential information like passwords, card details, or PHI data. Secrets management is part of the orchestration layer of the container stack and is part of the two most popular orchestration tools—Kubernetes, and Docker Swarm.

 

Firewalls and secure networking

Traditionally, firewalls were used to secure entire networks or an entire application. This kind of peripheral security is easy to implement, but isn’t safe. If an attacker manages to breach the outer firewall, they have access to the entire system. 

Containers allow you to implement firewalls around every part of the network. Tools like Project Calico are great for creating access-controlled firewalls. Doing the same with legacy infrastructure like virtual machines (VMs) would be extremely difficult and hard to scale, but lightweight containers make it possible to set up fine-grained firewalls without draining system resources or leaving admins with configuration hell.

 

Threat detection

Despite your best efforts to secure the data in your system, there are bound to be vulnerabilities and attacks. In these situations, you need more than manual reviews—You need the power of machine learning. Modern threat intelligence platforms like Twistlock and Aqua Security bring this to containers.

They let you limit the resources a container can consume, whether memory, compute, or storage. They include powerful automation rules that can terminate vulnerable containers as soon as they are discovered.

 

Logging and auditing

Logs and audit trails play a key role in tracing the history and usage of confidential data accurately. They are indispensable to compliance. However, logging is more complex with containers due to short container lifespans, and the large number of running containers at any given time. The amount of log data generated has shot up with cloud-native applications. Fortunately, containers enable more advanced ways of capturing and analyzing log data.

For starters, Docker has log drivers for every major log aggregation service. Because containers have a small footprint, you can easily set up dedicated containers for logging. This is called the sidecar model, as the logging containers run alongside the application containers. This is more work to set up, but gives more control over log aggregation.

Fluentd is a powerful log aggregator for containers. As part of the cloud-native computing foundation (CNCF), it is well-integrated with Kubernetes. With the volume of log data, a tool like Fluentd makes it easier to manage the flow of logs from your system into a log analysis platform like Sumo Logic, or Splunk.

 

Conclusion

As you look to build compliant apps that are powered by containers, you’ll find that in many respects, compliance is not as simple as it is on legacy infrastructure. However, if you approach compliance of containerized infrastructure in the right way, you’ll not only achieve compliance minimum requirements, but also build more secure and compliant applications.

That’s because containers offer new capabilities for implementing compliance policies in a way that wasn’t possible before. Recognizing the strengths of containers and adopting them for a new world of cloud-native applications is the need of the hour for compliance.

 

About the Author

Twain Taylor began his career at Google, where, among other things, he was involved in technical support for the AdWords team. His work involved reviewing stack traces, and resolving issues affecting both customers and the Support team, and handling escalations. Later, he built branded social media applications, and automation scripts to help startups better manage their marketing operations. Today, as a technology journalist he helps IT magazines, and startups change the way teams build and ship applications.

 

 

Topics: Containers, Tutorials