The Shifting Cloud-Native Landscape: Understanding Kubernetes Compliance and Security Frameworks
Explore this overview and comparison of the popular Kubernetes security and compliance frameworks, pros and cons, and when to use.
Join the DZone community and get the full member experience.Join For Free
There’s a reason why Kubernetes (K8s) has become the world’s leading container orchestration platform, with 74% of today’s IT companies using it for containerized workloads in production. It’s often the simplest way to handle container configuration, deployment, and management at scale. But while Kubernetes has made use of containers easier, it has also added complexities when it comes to security.
Kubernetes’ default configurations don’t always provide optimal security for all workloads and microservices deployed. Plus, today you are responsible not only for defending your environment against vicious cyberattacks but also for meeting a wide variety of compliance requirements.
Compliance has become crucial for ensuring business continuity, preventing reputational damage, and establishing the risk level for each application. Compliance frameworks aim to address security and privacy concerns through easy monitoring of controls, team-level accountability, and vulnerability assessment—all of which present unique challenges in a K8s environment.
To fully secure Kubernetes, a multi-pronged approach is needed: clean code, full observability, preventing the exchange of information with untrusted services, and digital signatures. One must also consider network, supply chain, and CI/CD pipeline security, resource protection, architecture best practices, secrets management and protection, vulnerability scanning, and container runtime protection. A compliance framework can help you systematically manage all this complexity.
Let’s examine five major frameworks and how they can help your business use Kubernetes more securely.
1. The Center for Internet Security (CIS) Kubernetes Benchmark
The Center for Internet Security (CIS), a longstanding global security organization, has created its Kubernetes Benchmark as “an objective, consensus-driven security guideline” to provide industry-standard recommendations for cluster component configurations and harden Kubernetes security posture. Level 1 recommendations are relatively simple to implement while providing major benefits, often without affecting business functionality. Level 2, or “defense in depth” recommendations are suitable for mission-critical environments requiring a more comprehensive strategy.
CIS also offers tools that ensure cluster resources comply with benchmarks and generate alerts for non-compliant components. The CIS framework works with all Kubernetes distributions.
Pros: Strict and widely accepted blueprint for configuration settings.
Cons: Not all recommendations are relevant to all organizations and must be assessed accordingly.
2. NIST Application Container Security for Kubernetes
The U.S. government’s National Institute of Standards and Technology (NIST) provides a specialized Application Container Security Guide as part of its voluntary framework. The guide highlights the security challenges of a Kubernetes environment—including images, registry, orchestrator, container, and host OS—and offers countermeasures based on best practices.
For example, NIST advises taking advantage of Kubernetes’ (or other orchestrators’) ability to provide native management of sensitive information, securely provisioning this data into a web application container at runtime, while ensuring that only the web application container has access to this sensitive data and that data is not persisted to disk.
Pros: Trusted, standardized risk-management methodologies.
Cons: Requirements may be ambiguous, requiring expertise to implement appropriately.
3. NSA and CISA Kubernetes Hardening Guidance
The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) have recently published their Kubernetes Hardening Guidance that describes and details specific threats to Kubernetes clusters, and offers mitigation guidance in five key areas:
- Kubernetes pod security
- Network separation and hardening
- Authentication and authorization
- Log auditing
- Upgrading and application security practices
The report highlights compromises in supply chain risks, from malicious actors, and insider threats at the infrastructure level, identifying common vulnerabilities and recommending best practices to avoid misconfiguration.
Pros: Very detailed, hands-on, practical, Kubernetes-specific advice.
Cons: Does not include recommendations for container lifecycle security management.
4. The MITRE ATT&CK® Matrix for Kubernetes
The Threat Matrix for Kubernetes, developed from the widely recognized MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) Matrix, takes a different approach, based on today’s leading cyber threats and hacking techniques.
This matrix is used for threat modeling across the adversary’s attack lifecycle, and across commonly targeted platforms, providing both indicators of compromise and indicators of attack. The adversarial approach allows all security and penetration teams to craft robust threat modeling and a more comprehensive response towards attack.
Pros: Extensive, up-to-date database of adversary tactics.
Cons: Complex, expensive framework to implement, with ambiguous guidance rather than offering precise mitigation steps.
5. PCI DSS Compliance for Kubernetes
The Payment Card Industry Data Security Standard (PCI DSS) is a set of mandatory technical and operational requirements required of every organization that stores, processes, or transmits payment card data. Its central principle is segmenting the environment where cardholder data is stored and processed. In Kubernetes, this is done using logical, network, and service-level segmentation.
While containers and microservices are not directly addressed in the core PCI DSS standards, a Cloud Computing Guidelines supplement offers guidelines for container orchestration.
In Kubernetes, certain attributes of open-source packaging, container lifespan, sprawl, and connectivity all complicate PCI DSS compliance. Further, when processing transactions, containers communicate with several other components on the platform.
For example, if you have one or more containers running within one or more dedicated Kubernetes servers, you are responsible for ensuring that scope, segmentation, and validation—along with isolation between customers’ data—meets PCI DSS requirements.
Pros: Mandatory for companies handling payment card data; builds consumer confidence.
Cons: Guidance is ambiguous and is technology-agnostic, so implementation requires specialized expertise.
Kubernetes has brought tremendous benefits, like speed and agility. Compliance with frameworks such as those explored here can help minimize any accompanying risks. It’s crucial to guide your team towards industry best practices, and adopting one or more of these frameworks is often the best way to standardize vulnerability assessment and ongoing security.
While compliance may take some work upfront, the payoff in resilience and long-term business continuity will be worth it. In many cases as well, organizations discover side benefits such as optimization, eliminating inefficient processes and services. This may lead to cloud savings as well as lessening your team’s administrative burden in the long run, while comprehensively protecting the Kubernetes environment and ensuring that best-practice compliance is achieved.
To read more, to see a list of the available tools for each framework, and a comparison table between frameworks, visit the ARMO blog.
Published at DZone with permission of Jonathan Kaftzan. See the original article here.
Opinions expressed by DZone contributors are their own.