#HowTo: Implement Continuous Compliance for Kubernetes

To meet the increasingly strict security guidelines of regulations like SOC 2, PCI DSS, GDPR, HIPAA and others, the highly dynamic nature of Kubernetes environments requires a carefully planned – and proactive – security strategy.  From a business perspective, Kubernetes security measures must also restrict the risk of attacks without restricting the pace of application development. Maintaining compliance cannot be a trade-off with productivity.

The following techniques are essential for organizations to achieve effective and continuous regulatory compliance across their Kubernetes clusters.

Automated Security is Non-Negotiable

Manual vulnerability scans and compliance checks simply can’t keep up with continuous compliance needs. Instead, strategies must include security automation. Use an automated Kubernetes audit log analyzer for processing logs and events. Available SIEM tools also utilize machine learning to recognize telltale threat patterns automatically (and rapidly). Continuous auditing of Kubernetes configurations through CIS benchmarks and customized compliance checks should also be implemented. trategies should incorporate tools for the specific continuous automated monitoring and protective interventions a given organization requires to meet its specific regulatory compliance needs.

Visibility is Required to Break Attack Kill Chains

An example attack kill chain on a Kubernetes or container environment escalates as follows: An unrecognized process launches within a container and alters (or writes) files there to increase its access. Once it has what it wants, it then contacts an external IP address and secretly places sensitive data within network traffic to send stolen data to attackers. A kill chain may also include a man-in-the-middle attack on the Kubernetes API service (from the Kubernetes network). Zero-day, cryptomining, the recent Apache Log4j exploit and insider attacks are common threats that utilize kill chain methods.

Kubernetes security measures must provide the visibility to accurately identify kill chain behavior, automatically flagging unrecognized processes and vetting the contents of network traffic payloads. Suspicious (and very likely malicious) behaviors must then be neutralized with automated procedures before they can cause data breaches or other harm. Data loss prevention (DLP) capabilities are now explicitly required by SOC 2, PCI DSS and GDPR and strongly suggested for compliance with HIPAA.

Protect the Full Container Technology Stack (*Kubernetes Itself is an Attack Surface*)

Continuous compliance checks can’t only protect containers but must also safeguard the breadth of the technology stack enabling the container environment. To do that, introduce automated monitoring and mitigation measures for Kubernetes, service meshes, plugins, hosting VMs and any other potential attack surfaces. These components can be targeted for attacks and are subject to exploits. 

Practice Zero Trust

A zero trust model that allows only approved processes and traffic within Kubernetes and container environments provides more effective security and compliance. Rather than detecting threats by reacting to log analysis, zero trust proactively blocks attacks before they begin. Zero trust protections should be extended beyond container run-time behavior to the entire cloud-native stack, including access controls (e.g., RBACs).

Take Advantage of (and Supplement) Built-in Kubernetes Security Measures

Another best practice is utilizing Kubernetes’ existing security features. This includes Kubernetes support for auditing logs, RBACs and the Kubernetes API server’s capabilities as a centralized hub for system log collecting (given that it manages and monitors the resources behind all activities and events related to the Kubernetes platform). Collect all activity logs, and perform analysis to detect any misconfigurations or signs of compromise. This approach will expose non-compliant run-time activities and enable investigations into what’s causing issues and how to address them via patches or new security policies.

Be sure to supplement these built-in features with solutions designed to protect container applications (the most common attack targets) and deliver continuous compliance auditing. Kubernetes Admission Control provides another valuable built-in function that ensures Kubernetes and external security solutions can act as one in actively addressing unauthorized deployment behavior and vulnerabilities. In fact, most regulations require this application security as a key aspect of compliance. 

Remember Cloud Security

It’s up to cloud platforms to ensure that Kubernetes host systems are secure and congruent with compliance. While most Kubernetes hosting platforms now feature hardened attack surfaces and regular auditing aligned with compliance requirements, this crucial avenue for threats must be verified as secure. There is also a ‘shared responsibility model’ for security that requires you, the cloud customer, to secure application access, network behavior and other assets running in the cloud.

Secure Kubernetes and Container Environments Across the Application Lifecycle

Achieving security that meets regulatory compliance requirements tells an organization that their Kubernetes and container environments are, in fact, ready for production. Compliance auditing is essential throughout all CI/CD pipeline stages, and production is where these environments will likely face their most testing security challenges. By following best practices for continuous compliance, organizations can identify and mitigate threats seamlessly and automatically, with no impact on applications’ delivery or performance.

What’s Hot on Infosecurity Magazine?