Democratizing Container Certification

by | Jun 15, 2017

Today Red Hat announced a new certification program for container images. Key to this announcement is the concept of a container health index that is used to grade a container which is “determined by Red Hat’s evaluation of the level of critical or important security errata that is missing from an image”.

Certifications are certainly not a new thing for Red Hat, it could be said that Red Hat built their enterprise business on top of an industry leading certification program. Enterprises need to have confidence in their deployments, to know that when they deploy an application it will work, it will be secure, it can be maintained, and it will be performant. In the past this confidence came through certification. In the early days of Linux, Red Hat really set the standard and worked with hardware and software vendors on certification programs to give a level of assurance to end users that the operating system would run reliably on their hardware and also offer insurance in the form of enterprise grade commercial support if they encountered issues.

One Size Doesn’t Fit All

Today the problem is more complex and there can no longer be just a single certification. For example, the requirements of a financial services company are different to the requirements of a healthcare company handling medical records, and these are different to the needs of federal institution and so on. Even the needs of individual departments within any given organization may be different.

What is needed now is for IT operations and security to be able to define their own certification requirements, which may differ even from application to application, allowing them to define these policies and evaluate them before applications are deployed into production.
What we are talking about is the democratization of certification.
Rather than placing certification in the hands of a small number of vendors or standards bodies, organizations need to define what certification means to them.
Anchore’s goal is to provide a toolset that allows developers, operations, and security teams to maintain full visibility of the ‘chain of custody’ as containers move through the development lifecycle, while providing the visibility, predictability, and control needed for production deployment.

At the heart of Anchore’s solution is the concept of users certifying container images based on rules that they define. In the past, certifications for applications typically came from operating systems vendors who defined their own standards and worked with independent software vendors (ISVs) on certification programs to give a level of assurance to end users that the application was compatible with the underlying operating system. Other organizations have created standards and certification tests to cover various forms of compliance validation, especially in the government sector or regulated industries.

Container Certification on Your Terms

Today the baseline feature set for container security is a CVE scan and that’s certainly required but it’s just the first step. An image may contain no operating system CVEs but may still be insecure, mis-configured or in some other way out of compliance. Container images typically contain hundreds, often thousands of files – some coming from operating system packages, some from configuration files, some from 3rd party software libraries such as Node.JS NPMs, Ruby GEMs, Python modules, Java Archives, and some may be supplied by the user. Each one of these artifacts should undergo the same level scrutiny as the operating system packages.

I’m sure that the policies you have in place today for your traditional deployments are more than just ensuring that you’ve update all operating system packages. While these policies should cover security, starting with the ubiquitous CVE scan, they should go further to analyze configuration of key security components for example, you could have the latest version of the Apache or NGINX web server but have configured the wrong set of TLS Ciphers suites leading to insecure communication. Outside of security, certification policies should cover application specific configurations to comply with best practices or to enable consistency and predictability. With Anchore organizations can define policies and certify containers on their terms – applying the specific policies that matter to them which can even be workload specific and these policies can be applied to any operating system.

As we move away from traditional IT models toward cloud, PaaS, containers and hybrid deployments, the operating system becomes less visible and applications become the focus. However, the operating system is still critical whether as part of a container or underpinning your PaaS platform, and as such it should be secure and well maintained. Some of Anchore’s users have policies requiring that containers should only be built on top of Red Hat Enterprise Linux (RHEL) since this is their corporate standard. Others may use different base operating systems but apply a consistent set of policies to all of these images. Tthis becomes especially important as organizations may consume containers from many sources, including freely available containers on public registries as well as containers provided by software vendors.

With Anchore you own the certification.

You can learn more about Anchore’s certification tools here and you can sign up for Anchore’s Navigator to allow you to search for containers, analyze their content and certify them based on your requirements.

Questions? Send us a message