How is your Kubernetes Security Posture?
By Rajeshwari (Raji) Rao Subbu, Product Management CloudGuard Dome9, published December 4th, 2019
Interesting Fact:
8: The numbers of characters between the “K” and the “S” in Kubernetes, leading to the developer shorthand, k8s.
Kubernetes (k8s) is an open-source container-orchestration system that facilitate scaling of complex projects, simplify the release of new versions, making them more reliable. Kubernetes technology is evolving constantly and its adoption rates are above expected. You can read about 13 interesting k8s facts here: “Kubernetes by the numbers: 13 compelling stats”
While usage of k8s becomes more popular, many enterprises are still concerned with security and compliance aspects of this technology. Some of the major security concerns include: network and security misconfigurations, short lifespan of containers, high level of automation involved in the deployment and ongoing maintenance processes. All of these aspects, require a high level of automation, when it comes to continuous compliance and posture management.
Today’s enterprises have to comply with significant number of security and privacy related regulatory requirements including PCI-DSS, HIPAA, and GDPR. Taking steps to follow and comply with these regulations for k8s deployments is imperative and is a very challenging goal to achieve.
The foundational step of any cloud compliance program is to ensure misconfigurations are being continuously monitored and addressed, k8s is not an exception. In order to start monitoring addressing k8s misconfigurations, there are several important frameworks you should get familiar with:
CIS Benchmarks for Kubernetes – CIS has worked with the community since 2017 to publish a benchmark for Kubernetes. This benchmark is very prescriptive and provides very detailed risk and remediation details regarding the most significant security requirements broken down into the following domains: Master Node Security Configuration (Scheduler, Controller Manager, Configuration Files, etcd, PodSecurityPolicies), Worker Node Security Configuration (Kubelet,Configuration Files)
NIST 800-190 Application Container Security Guide – NIST special publication dedicated to Containers, provides high level details regarding the security risks involved with containerized apps and the effective security measures necessary to mitigate these risks. This is a great framework that is relevant for any company(not only federal government) that uses containerized applications. It Covers the following areas: Image Risks, Registry Risks, Orchestrator Risks, Container RIsks, Host OS Risks
CloudGuard Dome9 Now supports Kubernetes as part of its Cloud Security Posture Management Solution.
CloudGuard Dome9 Compliance Engine automates security posture management or your AWS, Azure and Google cloud environments according to various regulatory frameworks. Today, we are adding Security Posture Management capabilities for k8s containers, regardless of where these are hosted On-Prem, Private or Public Cloud.
As part of the initial release, we are adding support for CIS Benchmarks for Kubernetes, NIST 800-190 Application Container Security and k8S Security Best Practices.
k8s Cloud Security Posture Management
With a single click, you can evaluate yous k8s security posture according to CIS Benchmarks for Kubernetes and/or NIST 800-190 for any k8s container you decide to monitore with CloudGuard Dome9 (irrespective of where it is hosted: AWS, Azure, GCP, On-Prem or in the Private Cloud)
Custom Rules using Governance Specification Language (GSL)
GSL allows Compliance and Security team to write and review any security or compliance check in seconds without deep technical knowledge – This equates to fewer errors in translating IT governance requirements to policy definitions. Now CloudGuard clients are able to write custom rules for k8s with the same level of simplicity as for any other cloud service supported.
k8s Inventory
CloudGuard Dome9 Protected assets view provides a full visibility into your cluster. Containers are a key driver in microservices, usually microservices leads to breaking down the system into many smaller services, which are hard to manage, monitor and govern, which also leads to poor visibility into the inventory.
CloudGuard Dome9 can help you to automate your company’s ongoing cloud compliance efforts. Sign up for a free trial or learn more at https://www.checkpoint.com/products/cloud-security-orchestration/