Skip to main content

This section of the ISM provides guidance on virtualisation hardening.

Containerisation

Containers allow for versatile deployment of systems, and can be used to quickly scale systems. However, they are still systems that run software and should be treated as any other system. Application of security controls in a containerised environment may take a different form when compared to other types of systems. For example, patching operating systems on workstations may be actioned differently to ensuring that a patched image is being used for a container, however the principle is the same. In general, the same security risks that apply to non-containerised systems would likely apply to containerised systems.

Functional separation between computing environments

Software-based isolation mechanisms are commonly used to share a physical server’s hardware among multiple computing environments. The benefits of using software-based isolation mechanisms to share a physical server’s hardware include increasing the range of activities that it can be used for and maximising the utilisation of its hardware.

A computing environment could consist of an entire operating system installed in a virtual machine where the isolation mechanism is a hypervisor, as is commonly used in cloud services providing Infrastructure as a Service. Alternatively, a computing environment could consist of an application which uses the shared kernel of the underlying operating system of the physical server where the isolation mechanisms are application containers or application sandboxes, as is commonly used in cloud services providing Platform as a Service. The logical separation of data within a single application, which is commonly used in cloud services providing Software as a Service, is not considered to be the same as multiple computing environments.

An adversary who has compromised a single computing environment, or who legitimately controls a single computing environment, might exploit a misconfiguration or security vulnerability in the isolation mechanism to compromise other computing environments on the same physical server, or compromise the underlying operating system of the physical server.

Security Control: 1460; Revision: 2; Updated: Aug-20; Applicability: O, P, S, TS
When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner.

Security Control: 1604; Revision: 0; Updated: Aug-20; Applicability: O, P, S, TS
When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism.

Security Control: 1605; Revision: 0; Updated: Aug-20; Applicability: O, P, S, TS
When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system running on the server is hardened.

Security Control: 1606; Revision: 0; Updated: Aug-20; Applicability: O, P, S, TS
When using a software-based isolation mechanism to share a physical server’s hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner.

Security Control: 1607; Revision: 0; Updated: Aug-20; Applicability: O, P, S, TS
When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner.

Security Control: 1462; Revision: 1; Updated: Jul-19; Applicability: P
When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification.

Security Control: 1461; Revision: 2; Updated: Jul-19; Applicability: S, TS
When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain.

Further information

Further information on hypervisor security can be found in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-125A Rev. 1, Security Recommendations for Server-based Hypervisor Platforms, at https://csrc.nist.gov/publications/detail/sp/800-125a/rev-1/final.

Further information on container security can be found in NIST SP 800-190 Application Container Security Guide at https://csrc.nist.gov/publications/detail/sp/800-190/final.