Tools and best practices for Kubernetes compliance under HIPAA

To protect your organization from security breaches and data leaks, it is increasingly important to ensure that your Kubernetes cluster is secure and compliant with legal and industry best practices.

Compliance is especially important in regulated industries. To achieve it, development and IT operations teams should have defined roles and tasks, along with tools and practices that include security frameworks and policies, API server monitoring, and Kubernetes audit logs.

This article will also cover popular open-source Kubernetes compliance tools like Open Policy Agent (OPA) and Kubescape.

• 👋 Read more articles in our compliance series: 
• ✅ An essential guide to achieving compliance with Kubernetes
• ✅ The definitive guide to compliance with cloud-managed Kubernetes
• ✅ Introducing Compliance Score: simplifying compliance assessment
• ✅ Kubernetes compliance & ISO 27001
• ✅ Kubernetes compliance & GDPR
• ✅ Kubernetes compliance & SOC 2

Security guidance frameworks — HIPAA

Security guidance frameworks (SGFs) help secure containerized applications and services. Examples of SGFs include the Health Insurance Portability and Accountability Act (HIPAA) in the US, GDPR in the EU, and PCI DSS. These frameworks are designed to protect sensitive personal data. 

HIPAA rules apply to medical service providers, health plans, research facilities, and insurance companies that work with patient data. The requirement to secure protected health information (PHI) also applies to business associates.

The HIPAA privacy rule

The Privacy Rule gives individuals full control over their PHI. HIPAA-regulated organizations must get consent before processing PHI. Regulated entities are responsible for privacy violations that result in unauthorized disclosure of PHI.

Seven principles for HIPAA compliance

1. Weighing the risks of migrating data, i.e. security breaches, data losses, vendor lock-in
2. Establishing a company-wide security culture (from DevOps to DevSecOps)
3. Maintaining separate development and testing environments with careful access controls
4. Securing data by using container images only from trusted and reputable repositories to avoid malware contamination; using only current images from allow-listed, reputable repositories is crucial for this reason.
5. Ensuring regular vulnerability scanning and monitoring at every level of deployment
6. Protecting (encrypting) data entering and leaving your containers
7. Regular, automatic backups of user data

Containers provide high availability; however, that alone is insufficient. Only by replicating your environment’s images, associated databases, deployments, persistent volumes for pods, and resources can you guarantee access to your environment in the event of failure.

HIPAA compliance strategies

To ensure HIPAA compliance, use secure technologies, follow configuration guidelines, keep secrets outside of images, encrypt data in transit and at rest, and encrypt all PHI transmissions over the Kubernetes network.

Additional important steps include:

• Using a secure connection when pushing to or pulling from the registry
• Ensuring that the container uses the most recent image release
• Segmenting network traffic
• Following container runtime configuration standards like the Center for Internet Security (CIS) benchmarks
• Identifying potential breaches at the infrastructure and container levels, using a container-specific operating system
• Ensuring that containers operate with the fewest permissions necessary

Generally speaking, organizations are required to use trusted CDNs and verified cloud storage services (for example, Amazon ECR and JFrog Artifactory) for achieving image integrity and authenticity at every stage of the image life cycle, from creation to deployment.

Privacy protection frontier with internals in mind

Regulated companies using Kubernetes must install an intrusion detection system (IDS) like Falco to comply with Privacy Rules. Falco uses Linux kernel features to detect any unusual actions in production pods that may indicate a leak of PHI.

To prevent these leaks, it is recommended to securely log all important boundary events, such as logins, logouts, API calls, and database requests. This can be done by hosting Elasticsearch on a separate Kubernetes cluster and sending live application logs to it using Fluentd. Additionally, Kubernetes API logs should be sent to the same tamper-proof logging environment as the application logs to ensure their security even if the production environment is compromised.

RBAC and policy enforcement

A key aspect of Kubernetes security is role-based access control (RBAC), which allows control over access to different resources in the cluster. Next, we will discuss RBAC and policy enforcement, as well as the use of policy engines, specifically Open Policy Agent (OPA), in Kubernetes.

Policy engines: Advantages and drawbacks

Policy engines are software tools that help automate policy enforcement by allowing you to define policies in a declarative way, making it easier to manage policies across different applications and environments. They offer several advantages, such as:

• Consistency in enforcing policies across different applications and environments
• Automation that reduces the risk of human error
• Granularity in enforcement that provides fine-grained control over access to resources
• Flexibility that allows policies to be easily updated or modified

However, there are also some drawbacks to using policy engines. One key challenge is defining policies that are both comprehensive and easy to manage.

OPA-based techniques for policy enforcement

Open Policy Agent is an open-source policy engine for Kubernetes. It provides a flexible and declarative way of defining policies for multiple applications and environments.

OPA is built around a simple idea: defining policies as code (PaC). This approach involves using a programming language or declarative syntax and storing them in a version control system, just like code.

OPA enforces these policies at runtime, making it easier to manage them across different environments and ensure consistent and automatic enforcement.

OPA has several advantages over other policy engines. For example, its policies can be easily tested and debugged, and it provides a rich set of APIs for integrating with different applications and environments.

However, OPA also has its drawbacks, including a steep learning curve for its proprietary language Rego, lack of GUI, complexity and performance issues. Misconfigurations or vulnerabilities in OPA could potentially allow attackers to bypass policies.

Pod security standards

There are a set of guidelines that are designed to enhance the security of Kubernetes pods, which are the smallest deployable units in the Kubernetes platform. Following PSS can enforce compliance with HIPAA, PCI DSS, and GDPR.

Using OPA with PSS

When using OPA with PSS, organizations can define policies that follow PSS guidelines, such as ensuring that pods run as non-root users, restricting the use of privileged containers, or enforcing network policies. OPA can help automate the enforcement of these policies across a Kubernetes cluster, and it can provide real-time feedback on policy violations or compliance status.

At the same time, OPA and PSS can be overwhelming to configure, especially for large and complex environments. It is important to have a clear understanding of the access control requirements and carefully design and test policies before deployment in production.

The policy-as-code approach: Kyverno

To protect the cluster, you can also refer to the least privileged Pod permission model, a part of the Kubernetes Pod Security Standards. The model’s principle states that Kubernetes pods should be granted only the permissions necessary to perform their intended functions. This helps reduce the risk of unauthorized access or malicious activity by restricting the capabilities of pods and containers.

Permissions may be implemented like PaC, and Kyverno is a powerful tool for implementing the PaC approach in Kubernetes.

Both Kyverno and OPA support Kubernetes Pod Security Standards.

Kyverno is a potential alternative to OPA and its complex technical needs. It offers a structure similar to Kubernetes in terms of object description and reconciliation, thanks to its declarative policy expression and Kubernetes-specific architecture. Policy elaboration is greatly simplified by Kyverno.

Unfortunately, Kyverno also has disadvantages:

• It lacks a programming language for defining policies. Instead, it uses YAML files, which can become cumbersome.
• It offers less flexibility in defining policies. Kyverno may not be able to enforce policies on certain types of Kubernetes resources, such as custom resources. Meanwhile, OPA can be used with any Kubernetes resource, including custom resources.

The PaC approach requires a certain level of programming and technical expertise. Users should be comfortable with YAML and other declarative syntaxes and have a basic understanding of programming concepts such as loops, conditionals, and functions.

Kubescape

Kubescape, a CNCF sandbox project, is a powerful open-source tool designed to comprehensively test the security of Kubernetes infrastructure. It scans for potential vulnerabilities and compliance violations across various Kubernetes objects, including pods, services, and deployments. It provides in-depth analysis of identified security weaknesses, misconfigurations, and compliance violations, allowing for quick and effective remediation.

Kubescape uses OPA behind the scenes and has the largest library of controls in the industry, with over 200 controls that are based on CIS, NSA, and MITRE ATT&CK. As a result, users of Kubescape do not need to write policies. Thanks to all of that, Kubescape users can easily identify potential security weaknesses and compliance violations. In addition, they can boost their effectiveness by leveraging automatic remediation. By that they can smartley ensure their Kubernetes clusters are secure and compliant.

Summary

Compliance is an essential aspect of Kubernetes security. Through the right practices, companies can ensure that their Kubernetes clusters remain secure and compliant with major regulations.

This involves starting with a security framework — ensuring the quality and integrity of the software images to be deployed, using RBAC, enforcing PSSs, monitoring the Kubernetes API server, regularly reviewing and updating policies, and using Kubernetes audit logs. By following these guidelines and leveraging narrow profile tools, you can stay ahead of compliance issues and ensure the security of containerized applications and services.

Kubescape and ARMO Platform help customers become HIPAA-compliant by mastering security checks and applied configurations. By ensuring secure and proven resources are used in deploying apps, ARMO’s solution is a valuable tool for identifying and preventing security issues.