Understanding Kubernetes Compliance and Security Frameworks

There’s a reason why Kubernetes (K8s) has become the world’s leading container orchestration platform, with 74% of today’s IT companies using it for containerized workloads in production. It’s often the simplest way to handle container configuration, deployment and management at scale. But while Kubernetes has made use of containers easier, it has also added complexities when it comes to security.

Kubernetes’ default configurations don’t always provide optimal security for all workloads and microservices deployed. Plus, today you are responsible not only for defending your environment against vicious cyberattacks but also for meeting a wide variety of compliance requirements.

FinConDX 2021

Compliance has become crucial for ensuring business continuity, preventing reputational damage and establishing the risk level for each application. Compliance frameworks aim to address security and privacy concerns through easy monitoring of controls, team-level accountability and vulnerability assessment—all of which present unique challenges in a K8s environment.

To fully secure Kubernetes, a multi-pronged approach is needed: Clean code, full observability, preventing the exchange of information with untrusted services and digital signatures. One must also consider network, supply chain and CI/CD pipeline security, resource protection, architecture best practices, secrets management and protection, vulnerability scanning and container runtime protection. A compliance framework can help you systematically manage all this complexity. 

Let’s examine five major frameworks and how they can help your business use Kubernetes more securely.

1. The Center for Internet Security (CIS) Kubernetes Benchmark

The Center for Internet Security (CIS), a longstanding global security organization, has created its Kubernetes Benchmark as “an objective, consensus-driven security guideline” to provide industry-standard recommendations for cluster component configurations and harden Kubernetes security posture. Level one recommendations are relatively simple to implement while providing major benefits, often without affecting business functionality. Level two, or “defense in depth” recommendations are suitable for mission-critical environments requiring a more comprehensive strategy.

CIS also offers tools that ensure cluster resources comply with benchmarks and generate alerts for non-compliant components. The CIS framework works with all Kubernetes distributions.

Pros: Strict and widely accepted blueprint for configuration settings.

Cons: Not all recommendations are relevant to all organizations and must be assessed accordingly.

2. NIST Application Container Security for Kubernetes

The U.S. government’s National Institute of Standards and Technology (NIST) provides a specialized Application Container Security Guide as part of its voluntary framework. The guide highlights security challenges of a Kubernetes environment—including images, registry, orchestrator, container and host OS—and offers countermeasures based on best practices.

For example, NIST advises taking advantage of Kubernetes’ (or other orchestrators’) ability to provide native management of sensitive information, securely provisioning this data into a web application container at runtime, while ensuring that only the web application container has access to this sensitive data and that data is not persisted to disk.

Pros: Trusted, standardized risk management methodologies.

Cons: Requirements may be ambiguous, requiring expertise to implement appropriately.

3. NSA & CISA Kubernetes Hardening Guidance

The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) have recently published their Kubernetes Hardening Guidance that describes and details specific threats to Kubernetes clusters and offers mitigation guidance in five key areas:

  • Kubernetes pod security
  • Network separation and hardening
  • Authentication and authorization
  • Log auditing
  • Upgrading and application security practices

The report highlights compromises in supply chain risks from malicious actors and insider threats at the infrastructure level, identifying common vulnerabilities and recommending best practices to avoid misconfiguration.

Pros: Very detailed, hands-on, practical, Kubernetes-specific advice.

Cons: Does not include recommendations for container life cycle security management.

4. The MITRE ATT&CK® Matrix for Kubernetes

The Threat Matrix for Kubernetes, developed from the widely recognized MITRE [email protected] (Adversarial Tactics, Techniques & Common Knowledge) Matrix, takes a different approach based on today’s leading cyberthreats and hacking techniques.

This matrix is used for threat modeling across the adversary’s attack life cycle and across commonly targeted platforms, providing both indicators of compromise and indicators of attack. The adversarial approach allows all security and penetration teams to craft robust threat modeling and a more comprehensive response toward attacks.

Pros: Extensive, up-to-date database of adversary tactics.

Cons: Complex, expensive framework to implement, with ambiguous guidance rather than precise mitigation steps.

5. PCI DSS Compliance for Kubernetes

The Payment Card Industry Data Security Standard (PCI DSS) is a set of mandatory technical and operational requirements required of every organization that stores, processes or transmits payment card data. Its central principle is segmenting the environment where cardholder data is stored and processed. In Kubernetes, this is done using logical, network and service-level segmentation.

While containers and microservices are not directly addressed in the core PCI DSS standards, a Cloud Computing Guidelines supplement offers guidelines for container orchestration.

In Kubernetes, certain attributes of open source packaging, container lifespan, sprawl‍ and connectivity all complicate PCI DSS compliance. Further, when processing transactions, containers communicate with several other components on the platform. 

For example, if you have one or more containers running within one or more dedicated Kubernetes servers, you are responsible for ensuring that scope, segmentation and validation—along with isolation between customers’ data—meets PCI DSS requirements.

Pros: Mandatory for companies handling payment card data; builds consumer confidence.

Cons: Guidance is ambiguous and is technology-agnostic, so implementation requires specialized expertise.

Summary

Kubernetes has brought tremendous benefits like speed and agility. Compliance with frameworks such as those explored here can help minimize any accompanying risks. It’s crucial to guide your team toward industry best practices and adopting one or more of these frameworks is often the best way to standardize vulnerability assessment and ongoing security.

While compliance may take some upfront work, the payoff in resilience and long-term business continuity will be worth it. In many cases, organizations discover additional benefits such as optimization and eliminating inefficient processes and services. This may lead to cloud savings as well as lessening your team’s administrative burden in the long run, while comprehensively protecting the Kubernetes environment and ensuring that best-practice compliance is achieved.

You can read more, see a list of the available tools for each framework and view a table that compares the pros and cons of each framework here.

Jonathan Kaftzan

Jonathan Kaftzan is vice president of marketing and business development at ARMO.

Jonathan Kaftzan has 2 posts and counting. See all posts by Jonathan Kaftzan