Alcide announced today that it has added support for both the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Rule (GDPR) enacted by the European Union to the Alcide Kubernetes Security Platform.
Company CTO Gadi Naor says organizations can now run scans of Kubernetes clusters to make sure they continuously comply with either compliance requirement.
Alcide already provides tools that make use of machine learning algorithms to identify issues stemming from Center for Internet Security (CIS) Benchmarks, misplaced secrets, excessive access to secrets, deviations from best practices for ingress controllers and deviations from best practices for deploying Kubernetes on Amazon Web Services (AWS).
Naor says the challenge organizations such as retailers face is, in addition to trying to navigate increasingly complex requirements such as PCI DSS, they are deploying a Kubernetes platform that can be misconfigured easily, given all its capabilities. Retailers are supposed to be able to create audit trails showing that their Kubernetes deployments are continuously compliant with a PCI DSS standard that requires credit card data to always be protected. The Alcide Kubernetes Security Platform can ensure that a firewall has been properly configured to protect cardholder data.
The PCI DSS standard is especially challenging because it was developed before Kubernetes became a de facto standard for deploying cloud-native applications. IT teams, for example, will need to determine whether a server definition as understood by the authors of the PCI standard is akin more to a pod, a node or a cluster, notes Naor. Kubernetes also assumes the networking environment is flat, while the PCI DSS standard calls for network segmentation.
GDPR, meanwhile, derives a set of requirements for how personal data is managed. That requirement is now being expanded rapidly via the implementation of similar rules such as the California Consumer Privacy Act (CCPA). Similar data privacy rules are now being debated within at least 25 other states, which in time would then force the U.S. Congress to come up with a national standard.
A recent survey published by Alcide finds 44% of respondents are using Kubernetes in a production environment today. As such, many organizations are now struggling to maintain compliance with a raft of mandates on a Kubernetes platform that is designed to encourage IT organizations to update their IT environments rapidly. The probability of misconfiguring a Kubernetes cluster is understandably high.
Of course, many compliance mandates share a common set of controls. However, they are different enough to often require dedicated teams to address. Alcide is making a case for automating the management of compliance by treating compliance as a distinct class of code to be automated.
It’s not at all clear how much DevOps teams might be assuming responsibility for compliance going forward. However, at the very least, DevOps teams should be able to scan Kubernetes clusters to make sure they comply with all applicable mandates. After all, every minute spent with auditors is time that otherwise could be spent building or deploying applications.