Kubernetes security compliance frameworks

TL;DR – Comparing popular Kubernetes security and compliance frameworks, how they differ, when to use them, common goals, and suggested tools.

The challenge of administering security and maintaining compliance in a Kubernetes ecosystem is typically the same: an increasingly dynamic, ever-changing, ephemeral landscape. Changes can be rooted in new approaches to cyberattacks or changing regulations.

Kubernetes security requires a complex and multifaceted approach since an effective strategy needs to:

• Ensure clean code
• Provide full observability
• Prevent the exchange of information with untrusted services
• Produce digital signatures for clean code and trusted applications

Security and compliance are two closely related concepts in Kubernetes. Security refers to the measures taken to protect a Kubernetes environment from unauthorized access, data breaches, and other malicious attacks. Compliance refers to the adherence to a set of security standards or regulations. While organizations may choose how they administer security, regulatory bodies are the ones who set and enforce mandatory compliance standards. These standards are designed to protect sensitive data and ensure the security of crtical infrastructure. By adhering to these regulations, organizations signal to customers that they care about ensuring business continuity and determining an application’s level of risk. This can also enhance an organization’s reputation, as a by product.

To help with this, various institutions offer standardized frameworks and guidelines for administering security in the complex and dynamic Kubernetes ecosystem. This post delves into popular Kubernetes security guidance frameworks, the principles on which they are built, and the benefits and challenges of adopting them.

Kubernetes security guidance frameworks

Since Kubernetes follows a loosely coupled architecture, securing the ecosystem involves a combination of best practices, tools, and processes. It is also recommended to consider frameworks that issue specific guidelines for easing the complexity of administering the security and compliance of a Kubernetes ecosystem. Such frameworks help organizations create flexible, iterative, and cost-efficient approaches to keeping clusters and applications safe and compliant while ensuring optimum performance.

A typical framework’s guidance on Kubernetes security and compliance should essentially consider:

• Architecture best practices
• Security within CI/CD pipelines
• Resource protection
• Container runtime protection
• Supply chain security
• Network security
• Vulnerability scanning
• Secrets management and protection

The foundations of these frameworks are built upon real-world observations. As a result, organizations referring to them remain up-to-date with the changing threat landscape—without losing focus on core organizational goals.

List of security guidance frameworks

As more data-driven applications go cloud-native, organizations are driven to pay more attention to security in order to protect their assets and information. To deal with this, every vendor or organization often develops and adopts its own security practices. While that’s a justifiable approach, it is susceptible to missing things in the changing threat landscape and leaving things unaccounted for. On the other hand, using frameworks for guidance, enables organizations to adhere to the expected security standards. This enables monitoring of security controls, enhanced team-level accountability, and efficient vulnerability assessment.

Additionally, organizations will often need to comply with respective industry standards as part of their regulatory obligations. Examples for this are: HIPAA for healthcare and PCI DSS for finance. While there are a number of frameworks that offer security guidelines for a cloud-native environment, the following are some of the most popular frameworks that offer focused guidance on securing Kubernetes workloads. All of these frameworks are free to use, offered by reputable (and objective) organizations, and have been created based on real-world events and the changing security landscape.

The Center for Internet Security (CIS) Kubernetes Benchmark

Since the mid-2000s, the Center for Internet Security (CIS) has been working closely with the IT community and publishing security benchmarks and best practices. These benchmarks include a detailed guideline that lays the foundation for hardening Kubernetes environments by recommending settings for secure cluster component configurations. CIS also lists tools that automatically check cluster resources to see if they comply with the set benchmarks and raise alerts for non-compliant components. As of 2020 the Center for Internete Security has rolled out a sub-set of benchmarks aimed specifically at cloud managed Kubernetes distributions. Starting with EKS, following with AKS and others.

Leveraging CIS Benchmarks for Kubernetes security

Securing clusters starts with identifying the Kubernetes distribution and referring to the related best practice recommendations per the CIS benchmark. The best practices are then prioritized according to recommendation level:

• Level 1 recommendations are practical and prudent. They provide clear security benefits, and do not interfere with Kubernetes usage or the platform.
• ‍Level 2 recommendations are applied to mission-critical environments for deeper defense measures that typically inhibit the performance of the platform.

Recommendations are scored based on how much a failure to comply will affect the final benchmark score. The security team then outlines the values that specify the status of the recommendations in production.

Benefits and drawbacks

Some benefits of the CIS Benchmark for Kubernetes include:

• Simplifies configuration management
• Suitable for all open-source Kubernetes distributions
• Standardizes efforts to minimize the attack surface
• Enables cluster-wide vulnerability scanning

One of the major drawbacks of the CIS benchmark is that it offers general guidance and may misrepresent certain use cases. As a result, on account of the strict blueprint of the CIS benchmark, organizations may miss assessing certain security misconfigurations or give more weight to those that aren’t relevant to their use case.

CIS security guidance – how to use

CIS Security Benchmarks are globally acknowledged security standards for defending web applications. CIS also offers tools, such as CIS-CAT, that enable security teams to compare system configurations with CIS standards. Kubescape is also a popular open-source tool for running CIS benchmark tests on Kubernetes workloads.

The MITRE ATT&CK® Framework for Kubernetes

The MITRE ATT&CK framework is a comprehensive knowledge base built on various hacking mechanisms and tactics based on real-world events. The framework forms the foundation for an organization’s threat model by simulating adversary behavior and mitigation practices. While MITRE outlines various matrices for niche domains, such as Cloud, Windows, etc., the Kubernetes framework focuses on various phases of an attack lifecycle exploiting Kubernetes platforms.

The MITRE ATT&CK Matrix for Kubernetes

MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) outlines various attack mechanisms commonly leveraged by attack vectors in a Kubernetes ecosystem, including:

• Initial Access – Techniques that can be exploited to enable first access to the cluster, e.g.:
• Weak cloud credentials
• Compromised registry images
• Kubeconfig
• Vulnerable applications
• Exposed Kubernetes dashboard
• Execution – Typically involves running malicious code inside the cluster using tactics, e.g.: 
• Executing into a container
• Building a new container
• Application exploit
• Running an SSH Server inside the container
• Persistence – Tactics to keep accessing the cluster even when hackers lose their initial foothold, e.g.:
• Exploiting a backdoor container
• Writeable hostPath mount
• Kubernetes CronJob
• Privilege escalation – Once inside the environment, attackers leverage several techniques to access higher privileges, e.g.:
• Privileged containers
• Cluster-admin binding
• hostPath mount
• Access to cloud resources
• Defense evasion – To hide their presence, attackers avoid detection using stealth tactics, e.g.:
• Clearing container logs
• Deleting Kubernetes events
• Using a similar Pod name
• Connecting from a proxy server
• Credential access – Attempting to hack into more accounts by:
• Listing Kubernetes secrets
• Mounting service principals
• Accessing container service accounts
• Accessing credentials in config files
• Discovery – Exploiting compromised Kubernetes environment through:
• Accessing the Kube-API Server
• Accessing the Kubelet API
• Network mapping
• Accessing the Kubernetes dashboard
• Checking the cloud instance metadata API
• Lateral Movement – Navigate and exploit the compromised environment by:
• Accessing cloud resources
• Using the container service account
• Using cluster internal networking to reach other containers
• Reading writable mounts on the nodes
• Accessing the Kubernetes dashboard
• Impact – Hackers destroy, abuse, or disrupt the ecosystem by:
• Destroying data
• Hijacking resources
• Denial-of-service

The ATT&CK matrix is particularly popular due to the level of depth each tactic goes into. By regularly updating the threat models, the MITRE matrix considers regular industry trends to build a comprehensive list of cyberattack techniques and sub-techniques.

Benefits and drawbacks

Some benefits of the MITRE ATT&CK framework include:

• Enforces continuous, automated security testing
• Suggests preemptive actions to identify and mitigate vulnerabilities
• Curated list of adversary tactics based on industry inputs
• Up-to-date list of emerging hacking techniques and security landscape

‍

However, due to the number of adversary data, techniques, and sub-techniques, the MITRE ATT&CK framework is large, complex, and often costly to implement. The framework is also less comprehensive when compared with CIS and often may offer ambiguous approaches rather than proposing exact steps to protect/evaluate a security control.

MITRE ATT&CK Matrix – how to use

The matrix lists various attack tactics that can potentially compromise a cloud-native environment based on real-world observations. By offering Indicators of Compromise and Indicators of Attack, the list helps security teams identify and study the mechanisms used by hackers across various stages of a cyber attack. The matrix also offers an adversarial approach that can be used by penetration testers, security defenders, cyber intelligence teams, red teams, and internal teams to create robust threat models and improve security posture. Besides adopting the practices outlined by the framework, organizations can also leverage open-source tools like Kubescape, which follows MITRE guidance to specifically harden Kubernetes clusters.

PCI DSS Compliance for Kubernetes

The Payment Card Industry Data Security Standard (PCI DSS) compliance framework outlines the technical and operational requirements to enable security and data protection for the payment industry. PCI DSS compliance is based on the following principles:

• Build and maintain a secure network system
• Secure cardholder data
• Develop and maintain vulnerability management programs
• Administer robust access control measures
• Regular observability and debugging of networks
• Periodic update and maintenance of information security policies

‍

PCI DSS Cloud Computing Guidelines

An inherent challenge with respect to open-source packaging, container lifespan, and container sprawl is that certain attributes complicate regulatory compliance in a Kubernetes environment. To help simplify this, the PCI DSS framework outlines focused goals that are relevant to Kubernetes, including:

• Identify all connections between the card data environment and other networks
• Restrict connections with untrusted networks using firewalls and router connections
• Develop configuration standards for all system components
• Secure cryptographic key distribution
• Separate development and production environments
• Deploy change-detection mechanisms

‍

Organizations adopting the cloud are often wary of the challenges in maintaining PCI DSS compliance. This is because containers are built to communicate with several other components of the platform when processing transactions, thereby relying on a complex intercontainer network. It is also recommended that when embracing PCI standards, organizations do not end their security and compliance efforts with containers but instead make sure that orchestrators, such as Kubernetes, are equally weighed.

Benefits & drawbacks

Adopting the PCI DSS compliance framework for Kubernetes brings a number of benefits to organizations, including:

• Enforces data protection and privacy
• Efficient assessment of existing security posture and vulnerabilities
• Adopts the universal standard for a payment’s platform
• Achieves compliance

‍

One commonly observed challenge with adopting the PCI DSS framework is that it involves numerous specifications that typically differ for different organizations. All requirements listed as part of the PCI DSS standards are mandatory and extremely technical, requiring niche skills to implement. Besides this, vendors usually offer partial support for PCI DSS guidance adoption by complying with specific parts of the guidance. This requires a collection of different entities that follow best practices for their respective domains to ensure comprehensive compliance with the PCI DSS security framework.

PCI DSS Security Guidance – how to use

PCI DSS outlines various computing guidelines that organizations should follow to be compliant. These guidelines apply to all organizations that store, process, or transmit cardholder data such as payment gateways, banks, merchants, and developers.

NIST Application Container Security Framework

The National Institute of Standards and Technology (NIST) publishes a special Risk Management Framework for containers and containerized environments. This publication, also known as the NIST Application Container Security Guide, highlights security risks associated with containerized applications and practical recommendations to address them.

Risks, countermeasures, and considerations for the container technology life cycle

NIST categorizes security risks for containerized technologies across multiple layers of a platform, including:

Image risks

• Embedded clear text secrets
• Image misconfiguration
• Use of untrusted images
• Image vulnerabilities

Registry risks

• Insecure connections
• Stale images
• Insufficient authorization and authentication

Orchestrator risks

• Unbounded administrative access
• Poor isolation for inter-container traffic
• Mixed sensitivity levels
• Orchestrator node trust

Container risks

• Runtime vulnerabilities
• Insecure runtime configurations
• App vulnerabilities
• Rogue containers

Host OS risks

• Large attack surface
• Shared kernel
• Improper access rights
• File system tampering

Countermeasures and NIST recommended practices for a secure container orchestration include:

• Tailor organizational culture to be aligned with container security best practices
• Use container-focused operating systems
• Group containers with the same sensitivity, purpose, and risk profile within the same kernel
• Adopt vulnerability scanning and management tools that are container-focused
• Use context-aware runtime security tools
• Integrate hardware-based security countermeasures

‍

Benefits & drawbacks

Adopting the NIST security framework for containers helps organizations via several benefits, including:

• Trusted, standard methodologies for risk management
• Helps organizations assess areas where the Kubernetes ecosystem requires hardened security controls
• Helps prioritize the level of rigor in security control mechanisms

‍

A drawback of the NIST security framework is that it includes requirements that can be approached in multiple ways, making it difficult to identify the specific controls needed to ensure compliance.

NIST Security Framework – how to use

The NIST Cybersecurity Framework is a voluntary standard that can be adopted by any IT organization leveraging container-led workflows. The NIST Risk Management Framework includes guidelines on how to conduct a comprehensive risk assessment, with a baseline integrated into the organization’s security strategy, before implementing security controls.

NSA offers general guidance on technical cybersecurity to help enterprises (in both the private and public sector) harden Kubernetes clusters and applications. The guidance includes the security challenges teams face when setting up Kubernetes clusters and strategies to avoid known misconfigurations. The report includes recommendations for comprehensive cluster hardening, such as:

Pod security

• Use containers built as non-root users to host applications
• Adopt image scanners to find vulnerabilities and misconfigurations in containerized applications
• Use immutable file systems for containers
• Leverage pod security standards to enforce minimum security levels

Network separation & hardening

• Use a firewall and RBAC for access controls
• Secure the etcd server
• Administer TLS authentication to restrict access to control plane components
• Isolate resources using network policies
• Use Kubernetes secrets to store sensitive information like credentials

Authentication and authorization

• Disable anonymous logins
• Enforce strong authentication policies
• Use RBAC policies to limit account activity

Audit logging

• Enable audit logging
• Persist logs for application availability
• Set up a metrics logging platform

Upgrading and application security practices

• Regularly apply security patches and updates
• Perform penetration tests and vulnerability scans periodically
• Remove redundant/non-essential components from the Kubernetes environment

Benefits & drawbacks

Benefits of using the NSA-CISA Kubernetes hardening guide include:

• A threat modeling framework recommended for an entire supply chain for comprehensive security
• Impactful guidance and remediation for insider threats

A major drawback of the NSA-CISA framework is that it does not include recommendations for container lifecycle security management.

NSA-CISA Kubernetes hardening guide – how to use

The NSA-CISA guidance outlines vulnerabilities within a Kubernetes ecosystem while recommending best practices on configuring a cluster for robust security. With recommendations on vulnerability scanning, identifying misconfigurations, log auditing, and authentication, the report ensures that common security challenges are appropriately addressed to mitigate risks. Besides adopting the practices outlined by the framework, organizations can also leverage open-source tools like Kubescape, which follows the NSA-CISA guidance to specifically harden Kubernetes clusters.

Kubernetes Security Frameworks – a quick comparison

Kubernetes security frameworks help define executive processes by outlining how organizations can maintain robust security and remain compliant. Each of the frameworks discussed above offers a unique approach to categorize various components of a Kubernetes ecosystem, as well as guidance on how to keep them secure. While emphasizing a proactive approach to mitigating risks, each framework essentially highlights the importance of efficient vulnerability scanning and comprehensive threat modeling as key practices in enhancing an organization’s security posture.

Also, because of their focus on cybersecurity and Kubernetes cluster hardening, these frameworks do have a few overlapping features and principles.

Security Frameworks
	CIS	MITRE	PCI DSS	NIST	NSA-CISA
GOAL	Provide configuration benchmarks	Enumerate all real-world attack tactics, techniques, and procedures	Protect cardholder data	Issue guidelines for a risk management framework	Enable the hardening of Kubernetes Cluster
WHEN TO USE	Pre-production	In production	Development, testing, and production	Testing and vulnerability scanning	Pre-production
FOCUS AREAS	Auditing configuration management	Threat modeling	Access control, vulnerability management	Risk management	Configuration management
HOW TO USE	Compare CIS standards with system configuration	Use the prescribed techniques for pen tests and threat management	Use guidelines to create policies for data protection	Use the RMF to establish a baseline for security posture	Use example configurations of hardened clusters
TOOLS	Kubescape	Kubescape	Twistlock	NIST SRE Tools	Kubescape

However, as they were derived from the threat patterns of different industries, these guidance frameworks are often considered more appropriate for specific use cases rather than as a global standard for keeping any Kubernetes environment secure and compliant.

• The CIS Kubernetes Framework offers benchmarks as guidelines for the secure configuration of cluster components.
• The MITRE ATT&CK Matrix is mostly based on threat modeling, which offers adversarial insights and tactics on how organizations can secure their Kubernetes workloads post-compromise.
• PCI DSS is a payment industry security standard and focuses on how to secure containers and the Kubernetes ecosystem of the cardholder’s data environment.
• The NIST Framework is particularly concerned with risk management and outlines common risks for containerized applications and their countermeasures.
• The NSA-CISA Framework offers guidance on hardening Kubernetes clusters with an emphasis on configuration management, the entire lifecycle of a supply chain, and insider threats.

Summary

Kubernetes continues to be the leading container orchestrator, being used or evaluated by used by over 96% of organziations today. While it offers a range of features in managing complex workloads, security and compliance remain a major concern with Kubernetes adoption. Although Kubernetes has rapidly gained unprecedented popularity, it is still a relatively novel platform. As a result, most frameworks do not yet offer focused guidelines toward the security and compliance of a Kubernetes ecosystem. While compliance frameworks evolve further and start doing so, the onus of evaluating vulnerabilities or compliance remains.

With the multiple integrations, built-in components, and processes of a Kubernetes environment, security is a complex undertaking. Although adopting a certain framework’s guidance will suit most organizations, adopting a multi-framework strategy for comprehensive security is also not uncommon. In the end, the goal is always the same: to achieve a robustly secure and compliant Kubernetes cluster that supports highly efficient and scalable applications.