Understanding ISO 27001 Compliance for Containers and Cloud

Wouldn’t it be great if there were a worldwide standard that established security management best practices for every organization to follow?

It turns out that there is: it’s called ISO 27001, which is an international compliance framework that includes more than 100 security controls for organizations to follow when designing and managing IT systems.

This article explains what ISO 27001 compliance means, then discusses how it can be applied to modern, cloud-native environments, including those based on containers.

What Is ISO 27001?

ISO 27001 is an international information security standard. It’s defined by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). (Because of the IEC’s involvement, the standard is sometimes referred to as ISO/IEC 270001 rather than just ISO 27001; practically speaking, these terms mean the same thing.)

The standard was first published in 2005, and it received a major revision in 2013. There have been other, less extensive revisions since then.

What Are the ISO 27001 Requirements?

The ISO and IEC have published a number of documents that define what ISO 27001 compliance entails. You can find them in the ISO information library, which includes the formal ISO 27001 publication itself along with a variety of supporting documentation.

The short version of ISO 27001 compliance, however, is that it is based on 14 categories of security controls:

1. Information security policies: Organizations should define security policies that apply across all systems and assets they own or manage.
2. Organization of information security: Organizations should implement a specific framework for enforcing information security policies.
3. Human resource security: Organizations should define security policies for employees, as well as outside stakeholders like vendors and partners.
4. Asset management: Organizations should systematically manage the assets they own and implement adequate security controls for each one.
5. Access control: Organizations must restrict access to the least necessary for employees to do their jobs.
6. Cryptography: Organizations should use cryptographic techniques like encryption to protect sensitive data.
7. Physical and environmental security: Organizations must ensure physical security for their assets.
8. Operations security: This family includes a number of operational policies and procedures for organizations to follow when implementing security operations.
9. Communications secrecy: Organizations must secure network communications.
10. System acquisition, development, and maintenance: Security should be integrated into asset lifecycle management.
11. Supplier relationships: Organizations must require reasonable security controls from their supplier and supply chains.
12. Information security incident management: Organizations must implement effective procedures for responding to and reporting security incidents.
13. Information security aspects of business continuity management: Organizations should establish procedures for maintaining business continuity in the wake of security incidents.
14. Compliance: Organizations must determine which regulatory requirements govern them and make sure they take steps to comply with those laws.

As you’ll notice if you read through that list, some of these control families focus more than others on how IT resources like cloud and container environments are managed. For IT teams and developers, the most important ISO 27001 controls are numbers 1, 2, 6, and 8 on the list above.

That said, because all of the controls inform how IT security is applied to the business as a whole, technical stakeholders should familiarize themselves with the ISO 27001 requirements in general, even if considerations like human resource security is not their main purview.

Who Must Follow ISO 27001?

Because ISO 27001 is an international standard defined by non-governmental organizations, it is not a regulatory compliance framework. No organization is legally required to comply with it, and there are no penalties for failing to conform to the ISO 27001 standards.

However, many businesses choose to use the ISO 27001 framework to define the best practices that they should follow when managing IT security. Doing so serves two main goals:

• Proving a commitment to security: The ability to demonstrate ISO 27001 compliance can help businesses prove to partners and customers that they have implemented effective information security controls.
• Discovering compliance risks: ISO 27001 compliance audits may help organizations discover security risks or vulnerabilities that would trigger fine-inducing compliance violations under regulatory frameworks. If a voluntary ISO 27001 audit identifies vulnerabilities, businesses can take steps to address them before they result in fines or sanctions under a regulatory compliance law like the GDPR or HIPAA.

Implementing ISO 27001 Controls in the Cloud

Like most compliance frameworks, the ISO 27001 controls don’t strictly define specific tools, processes, or practices that businesses must implement to secure cloud environments. Instead, they leave it up to organizations to determine how to interpret the security controls and apply them to the cloud. There are therefore many approaches to ISO 27001 compliance in the cloud, and not all businesses will use the same practices.

Nonetheless, there are some general best practices to consider for ISO 27001 cloud compliance.

Choose a Compliant Cloud Vendor

First and foremost, make sure your public cloud vendor (or vendors) is certified for ISO 27001 compliance on their own infrastructure.

This is not hard to do. In general, all of the major public clouds are ISO 27001-compliant, but there are some nuances. For example, on AWS, only specific cloud regions are currently certified for ISO 27001 compliance. You can also review cloud providers’ audit reports (such as those that Azure offers here) to assess how well they have demonstrated ISO 27001 compliance.

Use Cloud Auditing and Compliance Tools

Choosing an ISO 27001-compliant cloud doesn’t guarantee full ISO 27001 compliance for customers, of course. Cloud providers can only ensure compliance for their own infrastructure or other resources that they manage under the shared responsibility model. Responsibility for complying with ISO 27001 within applications or data that customers deploy to the cloud falls to customers.

Auditing and compliance tools can help ensure that customer-deployed workloads are ISO 27001-compliant. These tools automatically scan cloud environments and their associated configurations, then assess whether they meet predefined compliance standards. Cloud vendors offer some such tools, such as Azure Blueprint. However, external auditing tools may prove more useful for businesses that use more than one public cloud, or that have a hybrid cloud environment.

Use Cloud IAM

Cloud Identity and Access Management (IAM) frameworks are the main tool within cloud environments for implementing the access controls that ISO 27001 requires. In addition to creating IAM policies, organizations should ensure that they audit their IAM configurations to detect oversights that might create access control risks.

Data Encryption

Enabling data encryption by default is another standard practice for implementing the cryptography controls defined by ISO 27001. Approaches to data encryption in the cloud will vary from one type of cloud service to another, but the core goal should be to ensure that data is always encrypted unless there is a specific reason for it not to be. For example, if you use an object storage service like AWS S3, configure default server-side data encryption for your storage buckets.

Network Isolation

Virtual Private Clouds and other virtualized network abstractions can help to isolate workloads within the cloud. This provides another means of enforcing access controls as well as implementing some of the ISO 27001 network security controls.

ISO 27001 Compliance for Containers

ISO 27001 also doesn’t offer specific prescriptions for securing containers, but a few general best practices apply for a container-based environment.

Image Scanning

Scanning container images helps to meet the operational security controls of ISO 27001, especially those that deal with malware detection.

Audit Logging

Kubernetes audit logs are another means of detecting vulnerabilities and risks under the terms of ISO 27001 operational security standards.

Access Control

In addition to using cloud IAM tools to manage access for cloud services, consider using container-specific controls, such as Kubernetes RBAC and security contexts, to enforce granular access controls within container environments.

Conclusion

No one is legally mandated to comply with ISO 27001, but achieving ISO 27001 compliance is a best practice for demonstrating effective security controls to partners and customers, as well as nipping regulatory compliance risks in the bud. And while ISO 27001 doesn’t offer specific security guidelines for cloud and container environments, there are a number of tools and practices that can effectively implement ISO 27001 controls in modern, cloud-native contexts.