• United States




3 compliance considerations for containerized environments

Jul 17, 20174 mins
DevopsNetwork SecurityRegulation

Compliance needs to become an activity that can be done continuously through software to deliver visibility and policy enforcement.

Stack of legal documents with compliance and regulatory stamp
Credit: Thinkstock

With more technology leaders moving their companies to the cloud and adopting new security tools, keeping up with changing compliance standards has become a more urgent requirement for IT teams everywhere — especially as new security tools are rolled out. Specifically with containers, the nature of these environments require IT and legal managers to view compliance standards in a new way. A decade ago, compliance was an activity that a team of people conduct annually against a fairly static environment. However, with today’s threats and risks, compliance needs to transition into an ongoing activity that can be done continuously through software and deliver both visibility and policy enforcement.

Here are three points to consider when navigating compliance for containers:

1. The environment changes more frequently

As software becomes core to almost every organization’s mission, that software has to improve and adapt more quickly than in the past. That means continuous change as new features and capabilities are added. Processes that are built around rigid, manually performed annual audits aren’t responsive or efficient enough to protect these software supply chains. That doesn’t mean that traditional audit goes away, but it does mean that it’s no longer enough. 

To ensure you have the right defense and mitigations against today’s threats, you need compliance tools that easily integrate into your workflows and can provide quality gates along the way. For example, it’s much safer and more efficient to make sure new apps are compliant before they’re allowed to be deployed, rather than reactively having to evaluate and mitigate them after they’ve already been deployed. Ensuring compliance is part of the workflows that lead to change is critical to manage that increased rate of change.

2. Developers are in the driver’s seat

Instead of going to an operations team to get an app up and running, developers often build and deploy it themselves This means that many of the traditional workflows that organizations used to check for compliance before deploying new systems may no longer be in the loop. For example, in the past your operations team may have been responsible for ensuring PCI compliance before your retail app was updated. In a model in which the dev team can push that upgrade directly to production themselves, that manual check adds friction and delays to the process, if it happens at all. 

Rather than relying on manual interaction, organizations can benefit from tools that integrate directly with the workflow and stress efficiency and prevention, rather than manual tasks and reaction. For example, a tool that can integrate with the build process itself, assess compliance automatically as part of each build, and fail builds that don’t meet that threshold, is both more efficient and safer than relying on manual processes. Increasingly, this automated approach will not just be desirable but virtually mandatory to keep up with the rate of change in typical environments.

3. Compliance for containers is still evolving

The compliance standards rolled out for organizations today weren’t written with containers in mind. While many of the same best practices around configuration management, documentation, and consistency are equally applicable to containers, container specific compliance guidance isn’t as prevalent as guidance for more established technologies like virtual machines.Thus, organizations may need to do some additional work to understand how to map existing requirements to these new technologies.

The often missed fact is that the very nature of containers can actual make compliance much easier and more effective over time. The fact that containers technologies typically rely on declarative, self documenting deployment approaches and that they’re usually run in an immutable fashion means that it’s easier for organizations to know what they’re deploying and whether it’s changed.

I’ve worked on a few guides to help those who work with containers manage compliance, including Twistlock’s PCI and HIPAA for Containers guides and the NIST Container Security Guide (SP 800-190) — and while they’re valuable aids, effective compliance is more about your own people and processes than the words printed in a guide. Helping those people operate more efficiently by using tools that integrate with your build and deployment processes is critical to successfully managing compliance in today’s rapidly changing software world.


John Morello is the Chief Technology Officer at Twistlock. As CTO, John leads the work with strategic customers and partners and drives the product roadmap. Prior to Twistlock, John was the CISO of Albemarle, a Fortune 500 global chemical company. Before that, John spent 14 years at Microsoft, in both Microsoft Consulting Services and product teams. He ran feature teams that shipped security technologies in Windows, Azure, and Office 365 and served as the Lead Architect of the hybrid cloud consulting team for the Americas.

John lives in Louisiana with his wife and two young sons. A passionate fisherman and scuba diver, he also serves as Chairman of the Coalition to Restore Coastal Louisiana.

The opinions expressed in this blog are those of John Morello and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.