1

Context

My company is developing a SaaS solution that needs to conform to PCI-DSS L1 for sure, and possibly FedRAMP and other frameworks later.

We can do continuous deployment with feature flagged/canary releases, with multiple releases a day. Because of that, we don't really need explicit versioning of the releases (we do version the interfaces, APIs), so we tag our container images with the short Git SHA.

Question

Are you aware of a PCI-DSS requirement (or another widely used governance framework) that expects keeping the container images to be around e.g. 18 months?

We are concerned about the number of container images that will hang around for no practical use. We already know the Git SHA for historical investigation, and we are able to rebuild the image using that if necessary.

MarianD
  • 244
  • 1
  • 2
  • 7
aries1980
  • 13
  • 4

1 Answers1

0

At the moment there are no specific PCI guidelines for container based deployments (Although it is mentioned in their cloud guidelines), and I'm not aware of any specific requirements around image retention. There are some guidelines in development, but they've not been released as yet.

It might come up in relation to incident response/forensics, but realistically I'd expect more emphasis to be placed around audit logging at the container, runtime and orchestrator level. Retention of images doesn't really make a huge amount of sense, even there.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217