On March 16, the Federal Risk and Authorization Management Program (FedRAMP) released supplemental requirements for vulnerability scanning of containers. FedRAMP provides a standardized approach to security assessments for cloud offerings for all federal agencies.
Background – Why FedRAMP was created
Before its adoption in 2012, Cloud Service Providers (CSPs) had to deal with different requirements from each U.S. government agency for cloud usage. FedRAMP standardized the requirements for all U.S. government agencies, so if a CSP meets FedRAMP standards, all agencies are able to use those services. AWS GovCloud, Google Cloud, and Azure Government Cloud are examples of CSPs that meet FedRAMP requirements for many of their services.
Impact on Cloud Service Providers and Independent Software Vendors
The impact of FedRAMP is not just on CSPs, but on Independent Software Vendors (ISV’s) as well. These software vendors provide solutions in the form of SaaS, images, and containers among other delivery mechanisms that must have FedRAMP authorizations. Such authorizations allow these solutions to run in AWS GovCloud, Google Cloud, Azure Government Cloud, etc. in order to be used by government agencies. With the March 16th supplemental requirements, containerized systems must be periodically scanned and continuously monitored in order to be FedRAMP compliant.
From the perspective of ISV’s and other organizations such as research institutes supplying U.S. Government agencies solutions governance, compliance, and security monitoring is already a complex endeavor. Containers add many new challenges to security and compliance. Containers, and by extension the microservices that they contain, typically increase data and network traffic amounts due to their interconnected architectures. Environments are ever-changing as short-lived containers and their applications are constantly coming and going. Rule-based solutions for such dynamic environments can be a time-consuming and complex approach where the solution is only as good as the monitoring rules. As such, fine-tuning the rules and curating the alerts can be a full-time job. No one wants false negatives at 3:00am.
Using Advanced Anomaly Detection
Leading edge solutions are now using anomaly detection to determine issues, rather than complex rule sets. Machine learning and artificial intelligence algorithms are applied to the many data sources in these environments. By understanding the ‘baseline’ and detecting anomalies to this baseline, alert detection is significantly more accurate in this approach.
Monitoring solutions for containers exist, but that may not be the optimal solution that fits into existing processes. A more unified approach to security and compliance monitoring for containers and infrastructure might be a better solution. The ‘single pane of glass’ solution for all assets simplifies and speeds up the Mean Time to Detection (MTD) and can solve the monitoring issue for FedRAMP authorization. Innovative companies like Lacework can provide a solution for a significant part of the problem.
For more information on cohesive solutions or recommendations for compliance with the new FedRAMP requirements, please use our contact us page.