FedRAMP パブコメ コンテナの展開と使用のための脆弱性スキャン要件
こんにちは、丸山満彦です。
FedRAMPが「コンテナの展開と使用のための脆弱性スキャン要件」についてパブコメを募集していますね。。。
コンテナ技術を使用するクラウドシステムの脆弱性スキャンに特有のプロセス、アーキテクチャ、およびセキュリティ上の考慮事項に関連するFedRAMPへの準拠について説明する文書のようですね。
参考とされているNIST SP 800-190はIPAによる日本語訳もありますね。。。
● FedRAMP
・2020.08.14 Requesting Public Comment on Vulnerability Scanning Requirements for the Deployment and Use of Containers
TABLE OF CONTENTS
1. Purpose
2. Background
3. Scanning Requirements for Systems Using Container Technology
4. Transition Plan
2. Background
The FedRAMP Vulnerability Scanning Requirements for the Deployment and Use of Containers bridges the vulnerability scanning compliance gaps between traditional cloud systems and containerized cloud systems.
The requirements described in this document are part of the FedRAMP Continuous Monitoring Strategy Guide and FedRAMP Vulnerability Scanning Requirements. The vulnerability scanning requirements for containerized systems serve to supplement and update existing requirements defined in those documents.
Container technology can be deployed on bare metal or virtual machines, on-premise systems, or within elastic cloud environments. Various container orchestration tools are typically used to enable deployment and management of distributed containers at scale. Some of most common characteristics of container technology are : 1
- Containers run as a single application;
- Containers are deployed in hyperscale systems;
- Containers have network connections that are host independent;
- Containers are elastic and sometimes ephemeral in nature; and
- Container upgrades occur on a source image in a secure staging environment.
Important risks and threats relative to the use of containerization technology include:
- Unvalidated external software
- Non-standard configurations
- Unmonitored container-to-container communication
- Ephemeral instances that are not tracked
- Unauthorized access
The security requirements listed within this document facilitate a CSP’s ability to leverage container technology while maintaining compliance with FedRAMP. The intent of the following security requirements are to ensure that risks relative to the use of container technology are mitigated or otherwise addressed (including but not limited to those listed in bullet-point form above). The requirements apply broadly and FedRAMP recognizes that certain implementations may call for alternative measures to address risk.
1 The characteristics, risks, and terms contained in this document are derived from the NIST SP 800-190, Application Container Security Guide (published September 2017), and industry input.
■ 参考
● FedRAMP
・2018.03.20 [PDF] FedRAMP Vulnerability Scanning Requirements Version 1.0
・2018.02.21 [PDF] FedRAMP Continuous Monitoring Performance Management Guide Version 2.1
● NIST
・2017.09.25 (Publication) SP 800-190 Application Container Security Guide
・[PDF] SP 800-190 (DOI)
・[PDF] SP 800-190 Japanese translation (unofficial--from IPA, Japan)
・2017.10.11 (Publication) NISTIR 8176 Security Assurance Requirements for Linux Application Container Deployments
・[PDF] NISTIR 8176 (DOI)
・2017.10.24 (Publication) ITL Bulletin NIST Guidance on Application Container Security
・[PDF] NIST GUIDANCE ON APPLICATION CONTAINER SECURITY
● まるちゃんの情報セキュリティ気まぐれ日記
・2012.02.26 FedRAMP (クラウドサービスのセキュリティ評価の標準アプローチ)
« カナダのプライバシーコミッショナーが企業向けの新しいプライバシーガイドを公開 | Main | FBIとNSAは合同でLinuxシステムを対象としたロシアのDrovorubマルウェアについて情報を公開していますね。。。 »
Comments