| Name (Title) |
Immutable Service Container |
| Description |
An Immutable Service Container (ISC) is a specialized type of Secure Execution Container (SEC) that provides a security-reinforced environment within which a single application, job, or service can be run. Immutable Service Containers extend upon the core principles of the Secure Execution Container pattern in the following ways. The operating environment used to construct the ISC and the service running within the ISC must:
- implement the principles of a Secure Component.
- ensure that only a single logical application or service is implemented per ISC.
- activate and expose only those network services required for operation.
- restrict the initiation of outbound communication to those required for operation.
- use immutable files and directories for critical (read-only) items (where supported).
- use encrypted storage for critical (sensitive) items (where supported).
- operate with unique credentials (where appropriate) and least privilege for all of its operations
- monitor and audit all security relevant operations.
- operate within a resource-controlled environment (where supported).
|
| Alias |
ISC |
| Intent |
The intent is to develop a set of well-defined and verifyable security metrics that can be used in the creation and validation of security-reinforced service containers. By providing a set of core guiding principles, implementors will be more easily able to develop security-reinforced containers within which a single application, job, or service can be run. |
| Motivation |
It is desirable in a distributed system to compartmentalize services because of the propensity for threats to manifest and spread themselves across different services. Further, it is important to ensure that the environment into which services are deployed is sufficiently protected using industry accepted, recommended security practices. By customizing an SEC to a single service, an ISC provides a more focused security configuration environment that reduces the attack surface and exposure to external threats. |
| Applicability |
The Immutable Service Container pattern can be used in any environment and with any service. It is especially important for those environments seeking stronger security protections for the purposes of risk reduction and attack mitigation. By compartmentalizing service delivery, ISCs can also be used in environments seeking to automate the (repeated) provisioning of their services (perhaps for horizontal scale), improve operational efficiciencies (through change control and other IT service management techiniques), and employ dynamic and/or autonomic computing architectural models. |
| Structure |
- Single Immutable Service Container
- Multiple Immutable Service Containers
|
| Participants |
- Service. A Service is the object that is installed and executed within the Immutable Service Container. It could be a composite application, a single service or a scheduled job. There are no restrictions on the type of service that can be used within an ISC. The actual service used will determine what security protections are needed in terms of the service itself, the ISC and the ISC Dock which all work on concert to provide a strong security boundary.
- Immutable Service Container. The Immutable Service Container is an execution environment installed within an ISC Dock used to execute a given Service.
- Immutable Service Container Dock. The Immutable Service Container is managed by an ISC Dock. An ISC Dock offers a way of aggregating one or more ISCs (on a single logical system). The ISC Dock also provides additional security protections such as centralized log and audit collection, resource control (e.g., compute, storage, and memory capacity, network bandwidth, etc.), and also network-level protections to ensure that ISCs only communicate in accordance with a defined policy.
- External Networking Boundary. This is actually a component of the ISC Dock. Only for the sake of clarity was it shown to be a separate entity in the above diagrams. It should be considered to be a functional element of the ISC Dock.
- Security Controls. There are a variety of security controls that can be implemented by the ISC and ISC Dock. The nature of these controls will vary based upon the implementation model chosen. In the representative diagram above, several representative examples have been shown. Additional security controls should be selected as appropriate.
|
| Collaboration |
As noted above. |
| Consequences |
The primary benefits of the ISC pattern is the reduction of ones attack surface through service isolation, privilege management and underlying resource constraints. Essentially, the use of this pattern will provide a secure foundation upon which the Service can be deployed. Unfortunately, while a generic ISC template can easily be created and used, the actual ISC implementation will by its very nature be specific to the service that it is running. New services may not be easily added to an existing ISC without additional installation and configuration of the Service, ISC and perhaps the ISC Dock. Also, creating an IT ecosystem with a large number of (service-specific) ISCs requires a level of operational maturity due to the need for strong configuration and change management, automated construction and provisioning, etc. That said, those organizations possessing this level of operational maturity may also be able to use ISCs as an architecture building block for more advanced autonomic security operations. |
| Implementation |
OpenSolaris ISCs |
| Known uses |
OpenSolaris and Solaris Zones, VirtualBox VMIs |
| Related patterns |
Secure Execution Container, Immutable Service Container Dock |
| Author |
Rafat Alvi, Glenn Brunette, Joel Weise |
| Reviewer |
Joel Weise |
Sign up or Log in to add a comment or watch this page.