For many industries, meeting compliance requirements is a necessary part of doing business. While initially compliance concerns could be a hurdle to building and running containerized, cloud-native applications, frameworks and technologies are evolving rapidly to enable comprehensive compliance in a cloud-native environment. The major compliance frameworks relevant to containerized applications are:

Compliance is ultimately about ensuring that your applications are secure. Because they also require that organizations be able to prove to a third party that the applications are continually secure, however, meeting compliance requirements can be more challenging than simply securing the application. It also involves tracking and keeping records that prove continual compliance.

Compliance can be challenging, but failing to meet compliance standards can be even more expensive — the average cost of fines related to compliance violations is nearly three times the average cost of meeting compliance requirements.

Compliance standards can also be an important part of how organizations set security governance policies. Instead of creating guidelines from scratch, organizations, even those who are not required to meet a specific framework’s guidelines, can use compliance frameworks as a starting point for setting their own internal policies.

The Frameworks

CIS Benchmarks: Developed by the Center for Internet Security, the CIS Benchmarks provide best practices for containers, specifically those using the Docker runtime, and Kubernetes, but they are not binding for any industry.

NIST 800-190: The National Institute of Standards and Technology framework for container security is one of many cybersecurity compliance frameworks published by the National Institute of Standards and Technology. All U.S. federal government agencies and government contractors have to meet NIST 800-190 requirements.

PCI: Developed by a partnership by five major credit card companies, the Payment Card Industry (PCI) framework covers organizations that store, process, or transmit payment information.

HIPAA: The technological safeguards to the HIPAA act address how organizations that collect, process, or transmit individually identifiable electronic protected health information.

Last updated: May-31-2020