Scribd Logo
Upload

Welcome to Scribd!

  • Application Container Audit Program

    Uploaded by

    Sushil Andre
    45 views7 pages

    Original Title

    Application-Container-Audit-Program

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    45 views7 pages

    Application Container Audit Program

    Uploaded by

    Sushil Andre

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    I S A U D I T / A S S U R A N C E P R O G R A M

    APPLICATION
    CONTAINERS
    2 IS AUDIT/ASSURANCE PROGRAM: APPLICATION CONTAINERS

    CONTENTS
    4 Audit Subject: Application Containers
    4 Audit Objectives
    4 Audit Scope
    5 Business Impact and Risk
    5 Minimum Audit Skills
    5 Testing Steps
    6 Acknowledgments

    © 2018 ISACA. All Rights Reserved.


    3 IS AUDIT/ASSURANCE PROGRAM: APPLICATION CONTAINERS

    ABSTRACT
    The IS Audit/Assurance Program for Application Containers will assist IT auditors in their
    assessments of application container deployments.

    © 2018 ISACA. All Rights Reserved.


    4 IS AUDIT/ASSURANCE PROGRAM: APPLICATION CONTAINERS

    Audit Subject: Application


    Containers
    Application virtualization allows the number of containers enhance consistency and reliability, ISACA’s IS
    applications in a hosted environment to be increased Audit/Assurance Program for Application Containers
    without a corresponding increase in the number of covers preservation of data integrity through all phases of
    servers. Applications can also be ‘segmented’ into more application containerization (planning, development,
    manageable sizes of data rather than pushing the entire deployment, maintenance and destruction). Assurance is
    application to a device. A reduced number of servers achieved by tests in the following areas:
    through virtualization and better deployment techniques • Risk analysis and management
    help enterprises cut costs and implement changes faster. • Security awareness and training
    As enterprises search for ways to implement change even • Images
    faster, the challenge of maintaining consistency and • Registry
    reliability as software is migrated from one computing • Orchestrator
    environment to another is exacerbated. • Application security during development

    Application containers can mitigate this challenge • Secure connections

    because they consist of the application and all of the • Hardening

    application’s dependencies, such as libraries and • Container destruction

    configuration files. To provide assurance that application

    Audit Objectives
    The primary purpose of this audit program is to assist IT • Safeguarding the host operating system by deactivating unnecessary

    auditors in their assessments of application container services

    deployments. Accordingly, this audit program supports • Mitigating risks associated with use of a shared kernel, which is inherent

    assurance across several domains: in the application container infrastructure

    • Providing confidentiality of network traffic between application


    • Clarifying roles and responsibilities, given that developers play a bigger
    containers on the same host
    security role in application containerization

    Audit Scope
    The audit program addresses the host operating system, containers, including, but not limited to, Docker® and
    network, container runtime and images of application Rocket®.

    © 2018 ISACA. All Rights Reserved.


    5 IS AUDIT/ASSURANCE PROGRAM: APPLICATION CONTAINERS

    Business Impact and Risk


    Application containers share the same operating system in compromise of data.
    kernel; if a malicious actor gains access to the container
    Traditional security solutions such as intrusion prevention
    environment, lateral movement is possible and may result
    systems (IPSs) and web application firewalls (WAFs) may
    in access to all containers. Whenever an enterprise fails to
    be unable to detect vulnerabilities within containers.1 As a
    monitor application container environments, unauthorized
    result, adopting a dedicated container security solution is
    1

    connections and/or malicious traffic may go undetected.


    more effective in preventing and detecting threats
    Unauthorized access that remains undetected can result
    directed at containers.

    Minimum Audit Skills


    The audit program assumes that auditors exercise due throughout the course of an audit. ITAF Standard 1006
    professional care and possess professional competencies and ITAF Guideline 2006 (Proficiency) require the auditor
    culminating in the proficiency to conduct an audit. ITAF to have technical skill, knowledge and/or experience in the
    Standard 1005 and ITAC Guideline 2005 (Due Professional areas under assessment. This expectation is particularly
    Care) require the auditor to exercise professional relevant to auditors who do not hold the CISA or other
    skepticism and maintain effective communication appropriate designation.

    Testing Steps
    Refer to the accompanying spreadsheet file.

    1
    US National Institute of Standards and Technology, Special Publication 800-190 Application Container Security Guide, September 2017,
    https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-190.pdf
    1

    © 2018 ISACA. All Rights Reserved.


    6 IS AUDIT/ASSURANCE PROGRAM: APPLICATION CONTAINERS

    Acknowledgments
    ISACA would like to recognize:

    Lead Developer ISACA Board of Directors


    Robin Lyons Rob Clyde, Chair Chris K. Dimitriadis, Ph.D.
    CISA, CIA, USA CISM ISACA Board Chair, 2015-2017
    Clyde Consulting LLC, USA CISA, CRISC, CISM
    Expert Reviewers Brennan Baybeck, Vice-Chair
    INTRALOT, Greece

    Larry Marks CISA, CRISC, CISM, CISSP Robert E Stroud


    CISA, CRISC, CISM, CGEIT, CFE, CISSP, Oracle Corporation, USA ISACA Board Chair, 2014-2015
    ITIL, PMP, USA CRISC, CGEIT
    Tracey Dedrick
    Sergiu Sechel XebiaLabs, Inc., USA
    Former Chief Risk Officer with Hudson
    CISA, CRISC, CISM, CEH, CSSLP, PMP, City Bancorp, USA Matt Loeb
    Romania CGEIT, CAE, FASAE
    Leonard Ong
    Shruti Shrikant Kulkarni Chief Executive Officer, ISACA, USA
    CISA, CRISC, CISM, CGEIT, COBIT 5
    CISA, CRISC, CCSK, CISSP, ITILv3 Expert, Implementer and Assessor, CFE, CIPM,
    UK CIPT, CISSP, CITBCM, CPP, CSSLP, GCFA,
    GCIA, GCIH, GSNA, ISSMP-ISSAP, PMP
    Merck & Co., Inc., Singapore

    R.V. Raghu
    CISA, CRISC
    Versatilist Consulting India Pvt. Ltd., India

    Gabriela Reynaga
    CISA, CRISC, COBIT 5 Foundation, GRCP
    Holistics GRC, Mexico

    Gregory Touhill
    CISM, CISSP
    Cyxtera Federal Group, USA

    Ted Wolff
    CISA
    Vanguard, Inc., USA

    Tichaona Zororo
    CISA, CRISC, CISM, CGEIT, COBIT 5
    Assessor, CIA, CRMA
    EGIT | Enterprise Governance of IT, South
    Africa

    Theresa Grafenstine
    ISACA Board Chair, 2017-2018
    CISA, CRISC, CGEIT, CGAP, CGMA, CIA,
    CISSP, CPA
    Deloitte & Touche LLP, USA

    © 2018 ISACA. All Rights Reserved.


    7 IS AUDIT/ASSURANCE PROGRAM: APPLICATION CONTAINERS

    About ISACA
    1700 E. Golf Road, Suite 400
    Nearing its 50th year, ISACA® (isaca.org) is a global association helping
    Schaumburg, IL 60173, USA
    individuals and enterprises achieve the positive potential of technology.
    Technology powers today’s world and ISACA equips professionals with the
    Phone: +1.847.660.5505
    knowledge, credentials, education and community to advance their careers
    and transform their organizations. ISACA leverages the expertise of its half- Fax: +1.847.253.1755
    million engaged professionals in information and cyber security, governance,
    assurance, risk and innovation, as well as its enterprise performance Support: support.isaca.org

    subsidiary, CMMI® Institute, to help advance innovation through technology.


    Website: www.isaca.org
    ISACA has a presence in more than 188 countries, including more than 217
    chapters and offices in both the United States and China.

    DISCLAIMER
    Provide Feedback:
    ISACA has designed and created the IS Audit/Assurance Program for
    www.isaca.org/application-
    Application Containers (the “Work”) primarily as an educational resource for IT
    containers
    audit professionals. ISACA makes no claim that use of any of the Work will
    assure a successful outcome. The Work should not be considered inclusive of Participate in the ISACA
    all proper information, procedures and tests or exclusive of other information, Knowledge Center:
    procedures and tests that are reasonably directed to obtaining the same
    www.isaca.org/knowledge-center
    results. In determining the propriety of any specific information, procedure or
    test, IT audit professionals should apply their own professional judgments to
    Follow ISACA on Twitter:
    the specific circumstances presented by the systems or information
    technology environment. www.twitter.com/ISACANews

    Reservation of Rights Join ISACA on LinkedIn:

    © 2018 ISACA. All rights reserved. No part of this publication may be used, www.linkd.in/ISACAOfficial
    copied, reproduced, modified, distributed, displayed, stored in a retrieval
    system or transmitted in any form by any means (electronic, mechanical, Like ISACA on Facebook:
    photocopying, recording or otherwise) without the prior written authorization
    www.facebook.com/ISACAHQ
    of ISACA.

    IS Audit/Assurance Program: Application Containers


    ISBN 978-1-60420-629-6

    © 2018 ISACA. All Rights Reserved.

    You might also like