Taking a holistic approach to security and risk is essential for any organization that uses Kubernetes or another cloud-based container platform. As an open source container orchestration system for automating deployment, scaling, and management of containerized applications, Kubernetes is extremely powerful. However, organizations must carefully balance their eagerness to embrace the dynamic, self-service nature of Kubernetes with the real-life need to manage and mitigate security and compliance risk.
No matter which cloud service providers or container services you are using, it is essential to have a holistic view of your container infrastructure and configuration. To achieve this, it’s necessary to incorporate solutions, like DivvyCloud by Rapid7, that allow you to gain and maintain full visibility, apply policy consistently, and take action on multiple resource types, with the ultimate goal of developing a roadmap for security, governance, and compliance.
Developing a security and compliance roadmap
Building a successful security and compliance roadmap requires three essential components: culture, frameworks, and systems. Combining these three components will enable you to build cloud operations maturity through automation.
First, it’s important to reject the “command and control” approach that was once successful in the traditional data center world and replace it with a softer “trust, but verify” approach to support innovation derived through self-service access to the public cloud.
Second, incorporate the right benchmarks, to include PCI DSS, CSA CCM, CIS, etc., as the foundation of your cloud security and governance, risk management, and compliance (GRC) strategy.
Third, identify and implement cloud-native systems to help you address the unique challenges of public cloud and containers through automation. There are several tools that help companies achieve continuous security, compliance, and governance while embracing the dynamic, software-defined, self-service nature of public cloud and container infrastructure.
A change in perspective: Moving from, “Command and control,” to “Trust, but verify.”
Aggressive corporate innovation initiatives are forcing security and GRC professionals to adopt cloud and container technology with deliberate speed. This unyielding drive to innovate often creates a difficult situation for security and GRC professionals, who must adapt quickly to secure these new technologies at scale. To make matters more complicated, the accelerated rate of change produced by innovative automation makes it nearly impossible for any team to truly understand the potential impact of computing environment changes. Effective monitoring and security in this new environment requires an adjusted outlook.
It’s often less effective for organizations to have a large, centralized IT department focused on controlling everything—from user access to server, storage, and network provisioning. Instead, many organizations are shifting toward a self-service model in which developers create the computing infrastructure they need, as they need it.
This transformation has forced system administrators to move away from being the sole protectors of the IT infrastructure. Their new role is more akin to that of systems management consultant who is concerned with ensuring maximum business value from the investment. Thus, while the operational sensibility in the past has been “command and control,” today’s approach should be “trust, but verify.”
While it may sound simple, many organizations struggle with this transformation. The notion of empowering developers to provision environments independently is a hard pill for many system administrators to swallow. Consequently, some will never make the transformation. But others see the value of making automated monitoring and remediation technology part of the IT infrastructure. Allowing developers to have more independence promotes the agility, speed, innovation, and sense of experimentation required for modern businesses to maintain a competitive advantage.
Providing a robust set of automated monitoring and remediation tools gives businesses the ability to ensure that developers are acting wisely and not creating risks that are preventable. Supporting a theme of “trust, but verify” means having a culture that gives developers the freedom to experiment and innovate, while also giving systems personnel the tools they need to make sure that developers are working safely. As such, automated monitoring and remediation tools are indispensable.
Using CIS benchmarks to improve cloud and container security and compliance
Kubernetes has become the orchestration platform of choice among many enterprises because it’s a proven framework for deploying containers on-premises or in the cloud. Kubernetes is supported by all the major cloud providers, including, but not limited to, AWS, GCP, Azure, and Openshift. As Kubernetes has grown in popularity, so have security and compliance concerns about the technology.
The Center for Internet Security’s CIS Benchmarks for Kubernetes in 2017 was a major step in establishing a formal approach to using Kubernetes securely. These benchmarks are consensus-driven security guidelines defined by representatives from industry and government that are intended for system and application administrators, security specialists, auditors, help desk, and platform deployment personnel.
The CIS Benchmarks for Kubernetes define a standard by which to determine the state of security in a Kubernetes cluster running on-premises or in AWS, GCP, or Azure. In addition, the benchmarks provide guidance for remediation when security shortcomings are identified. The CIS Benchmarks for Kubernetes are incorporated directly into DivvyCloud by Rapid7’s technology, allowing companies to use Kubernetes clusters while ensuring CIS compliance.
With over 120 guidelines, the benchmarks apply to master and worker nodes. They apply to the control plane components (Controller Manager, Scheduler, API Server and etcd). In addition, the rules cover the components that are part of each worker node (kubelet, kube-proxy, cAdvisor and container network interfaces).
There are rules that define configuration settings that must be in force in order to ensure the security of a particular component. Also, there are rules intended to ensure that certain environment conditions are met—for example, requiring that a security context is applied to a pod or container.
Using a scoring system, system administrators apply each guideline rule to the relevant asset in Kubernetes to which the rule applies. Then, after all the rules have been applied, a score is determined. The resulting score describes the overall “health” of the system being inspected. The CIS Benchmarks for Kubernetes rules are divided into two types: scored and not scored. A scored rule indicates that compliance with the given rule is considered as part of the target’s benchmark score and thus increases the overall score. A not-scored rule has no effect on the overall score should the target not adhere to the conditions of the rule.
An example of a scored rule is:
– 1.1.4 Ensure that the –kubelet-https argument is set to true
An example of a not-scored rule is:
– 1.5.7 Ensure that a unique Certificate Authority is used for etcd
Levels of severity
The CIS Benchmarks for Kubernetes defines two levels of severity: Level 1 and Level 2. Level 1 rules are deemed to “be practical and prudent; provide a clear security benefit; and not inhibit the utility of the technology beyond acceptable means.”
Violating Level 2 rules indicates a significant security compromise. According to the CIS Benchmarks for Kubernetes, they “may negatively inhibit the utility or performance of the technology.”
DivvyCloud by Rapid7 offers a compliance pack built upon the rules defined in the CIS Benchmarks into its automation technology. In addition, it integrates the rules with regulations and best practices guidelines published by other regulatory organizations and government agencies, thereby allowing organizations to define the degree of remediation behavior that is executed in response to a rule violation.
Cloud-native tools to support a holistic approach to cloud and container security and compliance
DivvyCloud by Rapid7 is designed to be an agentless state machine. You can apply it to any computing environment (public cloud or private software-defined infrastructure). The way DivvyCloud by Rapid7 interacts with the host environment and Kubernetes is by way of their respective APIs. DivvyCloud by Rapid7 continuously interacts with the APIs to gather information about the state of the hosts and the Kubernetes clusters of interest. These hosts can be GCP, Amazon Web Services (AWS), Microsoft Azure, or a private data center that can expose infrastructure information via an API.
Once set up and targeted at the relevant host and Kubernetes clusters, it starts pulling down data about the container configuration resources that are exposed via an API, such as pods, containers, services, and deployments. In parallel, it also evaluates admission controllers, such as ingress and pod security policies. This information is then unified into a single data model that represents the infrastructure and represents containment holistically. Once DivvyCloud by Rapid7 is operational, it analyzes data for configuration and security issues according to policies defined by regulations such as CIS, PCI DSS, GDPR, and HIPPA, to name a few.
DivvyCloud by Rapid7 is well suited to address the security and compliance concerns of companies using on-premises or cloud-based Kubernetes clusters. However, using cloud-native tools is only part of a comprehensive security solution. Companies that use DivvyCloud by Rapid7 successfully not only embrace the technology, but also make the cultural and organizational changes necessary to realize the full benefit of securing the enterprise using an automated monitoring, analysis, and remediation tool.
To take full advantage of the cloud and containerized computing paradigm, companies need to have the right people, processes, and tools in place. Yet, many companies will incur a great deal of expense hoping to achieve the goal and still come up short. These companies spend money on all kinds of software and training, but they overlook the cultural and process changes necessary to fully adopt containerized computing on the cloud.
Companies that have experienced success moving to containerized computing in the cloud understand that you can’t simply buy your way into a digital transformation. A successful digital transformation requires an investment of time and effort from a people perspective. It’s about moving from a command-and-control management style to one based on an operational theme of trust but verify. And, with DivvyCloud by Rapid7, it means creating remediation policies that work for your environment but don’t get in the way of innovation.
Learn more about how DivvyCloud by Rapid7 can help you address the security and compliance concerns of using on-premises or cloud-based Kubernetes clusters.