Trending keywords: security, cloud, container,
- K8s Security Fundamentals (101)
- Secure K8s Architecture
- RBAC
- Admission Controllers
- Compliance (KSPM)
- Securing Cluster Components
- Runtime Security
- Network Security
- Audit Logs
- Security Contexts
- VMware Kubernetes
- GKE security
- EKS security
- AKS security
- Containers vs VMs
- Docker alternatives
- Serverless security
- AWS Fargate vs EKS
- What is Policy-as-Code?
- AWS Redshift Security
- What Is Cloud Security Posture Management (CSPM)?
- Cloud Compliance and Governance
- Cloud Security Monitoring
- Cloud Infrastructure Security
- Cloud Audit Logging
- AWS Cloud Security
- How To Ensure your AWS Lambda Security
- How Does AWS S3 Security Work?
- AWS IAM Inline Policies vs. Managed Policies
- How to Secure AWS Fargate
- How to secure AWS EC2
- How to Secure Amazon RDS
- Amazon EBS Encryption
- AWS Elastic Load Balancing Security
- Azure Cloud Security
- GCP Cloud Security
- IBM Cloud Security
- Infrastructure as code security
- What Is Cloud Infrastructure Entitlements Management (CIEM)?
- What is a CNAPP?
- OWASP Kubernetes Security Projects
- Cloud Migration Security
- Cloud-Native vs. Third-Party Cloud Security Tools
- What is an Open Policy Agent (OPA)?
- AWS CloudFront Security
- Securing AWS CloudTrail
- What is a DoS Attack?
- What is Multi-Cloud Security?
- What is the Secure Software Development Lifecycle (SSDLC)?
- What is Terraform?
- Container Threat Detection
- Containerized Architecture
- Docker 101: The Docker Components
- Docker Container Alternatives for 2022
- Managing Container Security
- Securing Your CI/CD Pipeline
- What are Container Runtimes?
- What Is Docker Alpine?
- What is a Container Registry?
- What Is Container Security?
- What is a Docker Registry?
- What Is DevSecOps?
- What Is Supply Chain Security?
- What is GitOps?
- What is Falco?
- What is CaaS (Container-as-a-Service)?
- Understanding the Linux Kernel
- What is Docker Swarm?
- What is Terraform?
- What are Docker Secrets?
- What is Docker networking?
- Docker Developer Tools
- What is Docker architecture?
- Components of Kubernetes
- How to Create and Use Kubernetes Secrets
- Kubernetes API Overview
- Kubernetes ReplicaSets overview
- Kubernetes StatefulSets Overview
- What is a Kubernetes Cluster?
- What is a Kubernetes Pod?
- What is a Kubernetes node?
- What is Helm in Kubernetes?
- What Is K3s?
- What is Kubernetes ConfigMap?
- What Is Kubernetes Networking?
- What Is MicroK8s?
- What Is Minikube?
- What Is the Kubernetes Dashboard?
- What is Istio?
- Cloud Detection and Response (CDR): An Overview
- What Is Virtualized Security?
- What is Threat Detection and Response (TDR)?
- AWS vs. Azure vs. Google Cloud: Security comparison
- What is DFIR? Digital Forensics & Incident Response
- What is Threat Hunting?
- Cryptomining vs. Cryptojacking
- EDR vs. XDR vs. SIEM vs. MDR vs. SOAR
- What is the MITRE ATT&CK Framework and how do you use it?
- What is Cloud Intrusion Detection?
- What is Container Forensics and Incident Response?
- What is Cryptojacking?
- What is HIDS (Host-Based Intrusion Detection System)?
- What is a Brute force attack?
- What is a Rootkit?
- What is Phishing?
- What is Linux EDR (Endpoint Detection and Response)?
- Linux IDS/EDR vs. CDR
- What is a Reverse Shell?
- What is a Data leak?
- What is a Privilege Escalation?
- What Is Secrets Management?
- What is a Command-and-Control Server?
- K8s Security Fundamentals (101)
- Secure K8s Architecture
- RBAC
- Admission Controllers
- Compliance (KSPM)
- Securing Cluster Components
- Runtime Security
- Network Security
- Audit Logs
- Security Contexts
- VMware Kubernetes
- GKE security
- EKS security
- AKS security
- Containers vs VMs
- Docker alternatives
- Serverless security
- AWS Fargate vs EKS
- What is Policy-as-Code?
- AWS Redshift Security
- What Is Cloud Security Posture Management (CSPM)?
- Cloud Compliance and Governance
- Cloud Security Monitoring
- Cloud Infrastructure Security
- Cloud Audit Logging
- AWS Cloud Security
- How To Ensure your AWS Lambda Security
- How Does AWS S3 Security Work?
- AWS IAM Inline Policies vs. Managed Policies
- How to Secure AWS Fargate
- How to secure AWS EC2
- How to Secure Amazon RDS
- Amazon EBS Encryption
- AWS Elastic Load Balancing Security
- Azure Cloud Security
- GCP Cloud Security
- IBM Cloud Security
- Infrastructure as code security
- What Is Cloud Infrastructure Entitlements Management (CIEM)?
- What is a CNAPP?
- OWASP Kubernetes Security Projects
- Cloud Migration Security
- Cloud-Native vs. Third-Party Cloud Security Tools
- What is an Open Policy Agent (OPA)?
- AWS CloudFront Security
- Securing AWS CloudTrail
- What is a DoS Attack?
- What is Multi-Cloud Security?
- What is the Secure Software Development Lifecycle (SSDLC)?
- What is Terraform?
- Container Threat Detection
- Containerized Architecture
- Docker 101: The Docker Components
- Docker Container Alternatives for 2022
- Managing Container Security
- Securing Your CI/CD Pipeline
- What are Container Runtimes?
- What Is Docker Alpine?
- What is a Container Registry?
- What Is Container Security?
- What is a Docker Registry?
- What Is DevSecOps?
- What Is Supply Chain Security?
- What is GitOps?
- What is Falco?
- What is CaaS (Container-as-a-Service)?
- Understanding the Linux Kernel
- What is Docker Swarm?
- What is Terraform?
- What are Docker Secrets?
- What is Docker networking?
- Docker Developer Tools
- What is Docker architecture?
- Components of Kubernetes
- How to Create and Use Kubernetes Secrets
- Kubernetes API Overview
- Kubernetes ReplicaSets overview
- Kubernetes StatefulSets Overview
- What is a Kubernetes Cluster?
- What is a Kubernetes Pod?
- What is a Kubernetes node?
- What is Helm in Kubernetes?
- What Is K3s?
- What is Kubernetes ConfigMap?
- What Is Kubernetes Networking?
- What Is MicroK8s?
- What Is Minikube?
- What Is the Kubernetes Dashboard?
- What is Istio?
- Cloud Detection and Response (CDR): An Overview
- What Is Virtualized Security?
- What is Threat Detection and Response (TDR)?
- AWS vs. Azure vs. Google Cloud: Security comparison
- What is DFIR? Digital Forensics & Incident Response
- What is Threat Hunting?
- Cryptomining vs. Cryptojacking
- EDR vs. XDR vs. SIEM vs. MDR vs. SOAR
- What is the MITRE ATT&CK Framework and how do you use it?
- What is Cloud Intrusion Detection?
- What is Container Forensics and Incident Response?
- What is Cryptojacking?
- What is HIDS (Host-Based Intrusion Detection System)?
- What is a Brute force attack?
- What is a Rootkit?
- What is Phishing?
- What is Linux EDR (Endpoint Detection and Response)?
- Linux IDS/EDR vs. CDR
- What is a Reverse Shell?
- What is a Data leak?
- What is a Privilege Escalation?
- What Is Secrets Management?
- What is a Command-and-Control Server?
Content
Wouldn’t it be great if there were a worldwide standard that established security management best practices for every organization to follow?
It turns out that there is: it’s called ISO 27001, which is an international compliance framework that includes more than 100 security controls for organizations to follow when designing and managing IT systems.
This article explains what ISO 27001 compliance means, then discusses how it can be applied to modern, cloud-native environments, including those based on containers.
What Is ISO 27001?
ISO 27001 is an international information security standard. It’s defined by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). (Because of the IEC’s involvement, the standard is sometimes referred to as ISO/IEC 270001 rather than just ISO 27001; practically speaking, these terms mean the same thing.)
The standard was first published in 2005, and it received a major revision in 2013. There have been other, less extensive revisions since then.
What Are the ISO 27001 Requirements?
The ISO and IEC have published a number of documents that define what ISO 27001 compliance entails. You can find them in the ISO information library, which includes the formal ISO 27001 publication itself along with a variety of supporting documentation.
The short version of ISO 27001 compliance, however, is that it is based on 14 categories of security controls:
- Information security policies: Organizations should define security policies that apply across all systems and assets they own or manage.
- Organization of information security: Organizations should implement a specific framework for enforcing information security policies.
- Human resource security: Organizations should define security policies for employees, as well as outside stakeholders like vendors and partners.
- Asset management: Organizations should systematically manage the assets they own and implement adequate security controls for each one.
- Access control: Organizations must restrict access to the least necessary for employees to do their jobs.
- Cryptography: Organizations should use cryptographic techniques like encryption to protect sensitive data.
- Physical and environmental security: Organizations must ensure physical security for their assets.
- Operations security: This family includes a number of operational policies and procedures for organizations to follow when implementing security operations.
- Communications secrecy: Organizations must secure network communications.
- System acquisition, development, and maintenance: Security should be integrated into asset lifecycle management.
- Supplier relationships: Organizations must require reasonable security controls from their supplier and supply chains.
- Information security incident management: Organizations must implement effective procedures for responding to and reporting security incidents.
- Information security aspects of business continuity management: Organizations should establish procedures for maintaining business continuity in the wake of security incidents.
- Compliance: Organizations must determine which regulatory requirements govern them and make sure they take steps to comply with those laws.
As you’ll notice if you read through that list, some of these control families focus more than others on how IT resources like cloud and container environments are managed. For IT teams and developers, the most important ISO 27001 controls are numbers 1, 2, 6, and 8 on the list above.
That said, because all of the controls inform how IT security is applied to the business as a whole, technical stakeholders should familiarize themselves with the ISO 27001 requirements in general, even if considerations like human resource security is not their main purview.
Who Must Follow ISO 27001?
Because ISO 27001 is an international standard defined by non-governmental organizations, it is not a regulatory compliance framework. No organization is legally required to comply with it, and there are no penalties for failing to conform to the ISO 27001 standards.
However, many businesses choose to use the ISO 27001 framework to define the best practices that they should follow when managing IT security. Doing so serves two main goals:
- Proving a commitment to security: The ability to demonstrate ISO 27001 compliance can help businesses prove to partners and customers that they have implemented effective information security controls.
- Discovering compliance risks: ISO 27001 compliance audits may help organizations discover security risks or vulnerabilities that would trigger fine-inducing compliance violations under regulatory frameworks. If a voluntary ISO 27001 audit identifies vulnerabilities, businesses can take steps to address them before they result in fines or sanctions under a regulatory compliance law like the GDPR or HIPAA.
Implementing ISO 27001 Controls in the Cloud
Like most compliance frameworks, the ISO 27001 controls don’t strictly define specific tools, processes, or practices that businesses must implement to secure cloud environments. Instead, they leave it up to organizations to determine how to interpret the security controls and apply them to the cloud. There are therefore many approaches to ISO 27001 compliance in the cloud, and not all businesses will use the same practices.
Nonetheless, there are some general best practices to consider for ISO 27001 cloud compliance.
Choose a Compliant Cloud Vendor
First and foremost, make sure your public cloud vendor (or vendors) is certified for ISO 27001 compliance on their own infrastructure.
This is not hard to do. In general, all of the major public clouds are ISO 27001-compliant, but there are some nuances. For example, on AWS, only specific cloud regions are currently certified for ISO 27001 compliance. You can also review cloud providers’ audit reports (such as those that Azure offers here) to assess how well they have demonstrated ISO 27001 compliance.
Use Cloud Auditing and Compliance Tools
Choosing an ISO 27001-compliant cloud doesn’t guarantee full ISO 27001 compliance for customers, of course. Cloud providers can only ensure compliance for their own infrastructure or other resources that they manage under the shared responsibility model. Responsibility for complying with ISO 27001 within applications or data that customers deploy to the cloud falls to customers.
Auditing and compliance tools can help ensure that customer-deployed workloads are ISO 27001-compliant. These tools automatically scan cloud environments and their associated configurations, then assess whether they meet predefined compliance standards. Cloud vendors offer some such tools, such as Azure Blueprint. However, external auditing tools may prove more useful for businesses that use more than one public cloud, or that have a hybrid cloud environment.
Use Cloud IAM
Cloud Identity and Access Management (IAM) frameworks are the main tool within cloud environments for implementing the access controls that ISO 27001 requires. In addition to creating IAM policies, organizations should ensure that they audit their IAM configurations to detect oversights that might create access control risks.
Data Encryption
Enabling data encryption by default is another standard practice for implementing the cryptography controls defined by ISO 27001. Approaches to data encryption in the cloud will vary from one type of cloud service to another, but the core goal should be to ensure that data is always encrypted unless there is a specific reason for it not to be. For example, if you use an object storage service like AWS S3, configure default server-side data encryption for your storage buckets.
Network Isolation
Virtual Private Clouds and other virtualized network abstractions can help to isolate workloads within the cloud. This provides another means of enforcing access controls as well as implementing some of the ISO 27001 network security controls.
ISO 27001 Compliance for Containers
ISO 27001 also doesn’t offer specific prescriptions for securing containers, but a few general best practices apply for a container-based environment.
Image Scanning
Scanning container images helps to meet the operational security controls of ISO 27001, especially those that deal with malware detection.
Audit Logging
Kubernetes audit logs are another means of detecting vulnerabilities and risks under the terms of ISO 27001 operational security standards.
Access Control
In addition to using cloud IAM tools to manage access for cloud services, consider using container-specific controls, such as Kubernetes RBAC and security contexts, to enforce granular access controls within container environments.
Conclusion
No one is legally mandated to comply with ISO 27001, but achieving ISO 27001 compliance is a best practice for demonstrating effective security controls to partners and customers, as well as nipping regulatory compliance risks in the bud. And while ISO 27001 doesn’t offer specific security guidelines for cloud and container environments, there are a number of tools and practices that can effectively implement ISO 27001 controls in modern, cloud-native contexts.