Container security is covered briefly in Domain 8 (Virtualization and Containers) of CSA Security Guidance for Critical Areas of Focus in Cloud Computing v4.0. Specifically Section 8.1.4 touches on four areas:
Infrastructure is critical, as a poorly secured OS allows access to all data and secrets on a server, or can even take control of the server itself.
Container management is typically performed by what are called “Orchestration Managers,” the most common of which are Kubernetes and Swarm. Both are non-cloud native and, unfortunately, very insecure by default. Bootstrapping new containers requires issuing credentials and secrets to access data needed to operate. Image repositories, both from major vendors and cloud-native systems, do provide secure image stores as well as digital signature capabilities to ensure container images have not been tampered with.
While the guidance gives a few road signs directing you to areas that need attention, it lacks tools and specifics instructions. To close these gaps the guidance recommends leveraging secrets management technologies to issue credentials to containers at runtime, and transparent disk or file encryption to store sensitive data only accessible by the containers you deem appropriate.
The guidance also recommends leveraging code/container signature systems provided by the container repository, and enforcing that the container orchestration system can only use approved containers in the registry. And, if you specify your own OS to run containers atop, just as Domain 8 advises for virtual servers, you need to spend considerable time making sure the OS is a secure variant configured for container use. Cloud Identity and Access controls will gate who can access or administer both the containers and the surrounding container infrastructure and security tools.
The cloud vendor will offer logs for access which you can bundle with orchestration logs to examine activity.
Note: This material is drawn from Thales White Paper: “Best Practices for Secure Cloud Migration. Leveraging Cloud Security Alliance Security Guidelines.”