Last month, the PCI Security Standards Council published its new Guidance for Containers and Container Orchestration Tools. This document is full of detailed security recommendations for PCI-compliant organizations to consider when hosting applications on container platforms like Kubernetes. The heart of the document is a 17-page list of specific recommendations covering everything from authentication, certificates, secrets, workload security, network security, monitoring, patching, versioning, and configuration.
It is encouraging to see an actionable list of recommendations for PCI-compliant organizations. However, Kubernetes platform engineers will immediately recognize the significant time and effort they have ahead of them to meet these guidelines. But don’t fret - Chainguard can help harden default Kubernetes configurations, software supply chains, and orchestration tooling to meet these recommendations.
Let’s take a look at some of the key findings in the new guidance, and unpack what the next steps look like for platform engineers and security teams:
Authentication and Authorization: The Council recommends all access to the platform be authenticated, granted the least privilege possible, with individual accountability, and that auth credentials must be revocable. This means:
Workload Security: The PCI guidance aims to make sure the workloads deployed on a container platform can be trusted, and cannot break out of isolation to attack the underlying platform.
Container Builds and Registry Storage: The best practices here are designed to minimize attack surface area for container images.
Network Security: These are expected best practice recommendations that should apply to all network infrastructure used by an organization.
PKI and Secrets: Guidance is that certificates should be revocable, which is not always the case in Kubernetes systems. Secrets should be stored securely, version controlled, and also revocable. This requirement is also aligned with the requirements for meeting SLSA Level 3.
Additional Best Practices: The PCI guidance recommends several additional security best practices that operators can implement to mitigate the risk of an attack.
As you can see, this guidance provides a long list of security practices that PCI-compliant organizations should implement when deploying modern containerized applications. Many of these practices will require 3rd-party tools to ensure compliance. Coupling leading open source tools like Sigstore with solutions like Chainguard Enforce (Get a free trial!) and Chainguard Images can be helpful to reduce the risk of attacks on the modern application supply chain for PCI-compliant organizations. Contact us today for more information on how we can help.