Sidecar Containers in Kubernetes: A Personal Journey
I had always wanted to use sidecars with Istio or Splunk forwarder in production, but...
Aug 1, 2023
TL;DR – Comparing popular Kubernetes security and compliance frameworks, how they differ, when to use them, common goals, and suggested tools.
The challenge of administering security and maintaining compliance in a Kubernetes ecosystem is typically the same: an increasingly dynamic, ever-changing, ephemeral landscape. Changes can be rooted in new approaches to cyberattacks or changing regulations.
Kubernetes security requires a complex and multifaceted approach since an effective strategy needs to:
Security and compliance are two closely related concepts in Kubernetes. Security refers to the measures taken to protect a Kubernetes environment from unauthorized access, data breaches, and other malicious attacks. Compliance refers to the adherence to a set of security standards or regulations. While organizations may choose how they administer security, regulatory bodies are the ones who set and enforce mandatory compliance standards. These standards are designed to protect sensitive data and ensure the security of crtical infrastructure. By adhering to these regulations, organizations signal to customers that they care about ensuring business continuity and determining an application’s level of risk. This can also enhance an organization’s reputation, as a by product.
To help with this, various institutions offer standardized frameworks and guidelines for administering security in the complex and dynamic Kubernetes ecosystem. This post delves into popular Kubernetes security guidance frameworks, the principles on which they are built, and the benefits and challenges of adopting them.
Since Kubernetes follows a loosely coupled architecture, securing the ecosystem involves a combination of best practices, tools, and processes. It is also recommended to consider frameworks that issue specific guidelines for easing the complexity of administering the security and compliance of a Kubernetes ecosystem. Such frameworks help organizations create flexible, iterative, and cost-efficient approaches to keeping clusters and applications safe and compliant while ensuring optimum performance.
A typical framework’s guidance on Kubernetes security and compliance should essentially consider:
The foundations of these frameworks are built upon real-world observations. As a result, organizations referring to them remain up-to-date with the changing threat landscape—without losing focus on core organizational goals.
As more data-driven applications go cloud-native, organizations are driven to pay more attention to security in order to protect their assets and information. To deal with this, every vendor or organization often develops and adopts its own security practices. While that’s a justifiable approach, it is susceptible to missing things in the changing threat landscape and leaving things unaccounted for. On the other hand, using frameworks for guidance, enables organizations to adhere to the expected security standards. This enables monitoring of security controls, enhanced team-level accountability, and efficient vulnerability assessment.
Additionally, organizations will often need to comply with respective industry standards as part of their regulatory obligations. Examples for this are: HIPAA for healthcare and PCI DSS for finance. While there are a number of frameworks that offer security guidelines for a cloud-native environment, the following are some of the most popular frameworks that offer focused guidance on securing Kubernetes workloads. All of these frameworks are free to use, offered by reputable (and objective) organizations, and have been created based on real-world events and the changing security landscape.
Since the mid-2000s, the Center for Internet Security (CIS) has been working closely with the IT community and publishing security benchmarks and best practices. These benchmarks include a detailed guideline that lays the foundation for hardening Kubernetes environments by recommending settings for secure cluster component configurations. CIS also lists tools that automatically check cluster resources to see if they comply with the set benchmarks and raise alerts for non-compliant components. As of 2020 the Center for Internete Security has rolled out a sub-set of benchmarks aimed specifically at cloud managed Kubernetes distributions. Starting with EKS, following with AKS and others.
Securing clusters starts with identifying the Kubernetes distribution and referring to the related best practice recommendations per the CIS benchmark. The best practices are then prioritized according to recommendation level:
Recommendations are scored based on how much a failure to comply will affect the final benchmark score. The security team then outlines the values that specify the status of the recommendations in production.
Some benefits of the CIS Benchmark for Kubernetes include:
One of the major drawbacks of the CIS benchmark is that it offers general guidance and may misrepresent certain use cases. As a result, on account of the strict blueprint of the CIS benchmark, organizations may miss assessing certain security misconfigurations or give more weight to those that aren’t relevant to their use case.
CIS Security Benchmarks are globally acknowledged security standards for defending web applications. CIS also offers tools, such as CIS-CAT, that enable security teams to compare system configurations with CIS standards. Kubescape is also a popular open-source tool for running CIS benchmark tests on Kubernetes workloads.
The MITRE ATT&CK framework is a comprehensive knowledge base built on various hacking mechanisms and tactics based on real-world events. The framework forms the foundation for an organization’s threat model by simulating adversary behavior and mitigation practices. While MITRE outlines various matrices for niche domains, such as Cloud, Windows, etc., the Kubernetes framework focuses on various phases of an attack lifecycle exploiting Kubernetes platforms.
MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) outlines various attack mechanisms commonly leveraged by attack vectors in a Kubernetes ecosystem, including:
The ATT&CK matrix is particularly popular due to the level of depth each tactic goes into. By regularly updating the threat models, the MITRE matrix considers regular industry trends to build a comprehensive list of cyberattack techniques and sub-techniques.
Some benefits of the MITRE ATT&CK framework include:
However, due to the number of adversary data, techniques, and sub-techniques, the MITRE ATT&CK framework is large, complex, and often costly to implement. The framework is also less comprehensive when compared with CIS and often may offer ambiguous approaches rather than proposing exact steps to protect/evaluate a security control.
The matrix lists various attack tactics that can potentially compromise a cloud-native environment based on real-world observations. By offering Indicators of Compromise and Indicators of Attack, the list helps security teams identify and study the mechanisms used by hackers across various stages of a cyber attack. The matrix also offers an adversarial approach that can be used by penetration testers, security defenders, cyber intelligence teams, red teams, and internal teams to create robust threat models and improve security posture. Besides adopting the practices outlined by the framework, organizations can also leverage open-source tools like Kubescape, which follows MITRE guidance to specifically harden Kubernetes clusters.
The Payment Card Industry Data Security Standard (PCI DSS) compliance framework outlines the technical and operational requirements to enable security and data protection for the payment industry. PCI DSS compliance is based on the following principles:
An inherent challenge with respect to open-source packaging, container lifespan, and container sprawl is that certain attributes complicate regulatory compliance in a Kubernetes environment. To help simplify this, the PCI DSS framework outlines focused goals that are relevant to Kubernetes, including:
Organizations adopting the cloud are often wary of the challenges in maintaining PCI DSS compliance. This is because containers are built to communicate with several other components of the platform when processing transactions, thereby relying on a complex intercontainer network. It is also recommended that when embracing PCI standards, organizations do not end their security and compliance efforts with containers but instead make sure that orchestrators, such as Kubernetes, are equally weighed.
Adopting the PCI DSS compliance framework for Kubernetes brings a number of benefits to organizations, including:
One commonly observed challenge with adopting the PCI DSS framework is that it involves numerous specifications that typically differ for different organizations. All requirements listed as part of the PCI DSS standards are mandatory and extremely technical, requiring niche skills to implement. Besides this, vendors usually offer partial support for PCI DSS guidance adoption by complying with specific parts of the guidance. This requires a collection of different entities that follow best practices for their respective domains to ensure comprehensive compliance with the PCI DSS security framework.
PCI DSS outlines various computing guidelines that organizations should follow to be compliant. These guidelines apply to all organizations that store, process, or transmit cardholder data such as payment gateways, banks, merchants, and developers.
The National Institute of Standards and Technology (NIST) publishes a special Risk Management Framework for containers and containerized environments. This publication, also known as the NIST Application Container Security Guide, highlights security risks associated with containerized applications and practical recommendations to address them.
NIST categorizes security risks for containerized technologies across multiple layers of a platform, including:
Countermeasures and NIST recommended practices for a secure container orchestration include:
Adopting the NIST security framework for containers helps organizations via several benefits, including:
A drawback of the NIST security framework is that it includes requirements that can be approached in multiple ways, making it difficult to identify the specific controls needed to ensure compliance.
The NIST Cybersecurity Framework is a voluntary standard that can be adopted by any IT organization leveraging container-led workflows. The NIST Risk Management Framework includes guidelines on how to conduct a comprehensive risk assessment, with a baseline integrated into the organization’s security strategy, before implementing security controls.
NSA offers general guidance on technical cybersecurity to help enterprises (in both the private and public sector) harden Kubernetes clusters and applications. The guidance includes the security challenges teams face when setting up Kubernetes clusters and strategies to avoid known misconfigurations. The report includes recommendations for comprehensive cluster hardening, such as:
Benefits of using the NSA-CISA Kubernetes hardening guide include:
A major drawback of the NSA-CISA framework is that it does not include recommendations for container lifecycle security management.
The NSA-CISA guidance outlines vulnerabilities within a Kubernetes ecosystem while recommending best practices on configuring a cluster for robust security. With recommendations on vulnerability scanning, identifying misconfigurations, log auditing, and authentication, the report ensures that common security challenges are appropriately addressed to mitigate risks. Besides adopting the practices outlined by the framework, organizations can also leverage open-source tools like Kubescape, which follows the NSA-CISA guidance to specifically harden Kubernetes clusters.
Kubernetes security frameworks help define executive processes by outlining how organizations can maintain robust security and remain compliant. Each of the frameworks discussed above offers a unique approach to categorize various components of a Kubernetes ecosystem, as well as guidance on how to keep them secure. While emphasizing a proactive approach to mitigating risks, each framework essentially highlights the importance of efficient vulnerability scanning and comprehensive threat modeling as key practices in enhancing an organization’s security posture.
Also, because of their focus on cybersecurity and Kubernetes cluster hardening, these frameworks do have a few overlapping features and principles.
Security Frameworks | |||||
CIS | MITRE | PCI DSS | NIST | NSA-CISA | |
GOAL | Provide configuration benchmarks | Enumerate all real-world attack tactics, techniques, and procedures | Protect cardholder data | Issue guidelines for a risk management framework | Enable the hardening of Kubernetes Cluster |
WHEN TO USE | Pre-production | In production | Development, testing, and production | Testing and vulnerability scanning | Pre-production |
FOCUS AREAS | Auditing configuration management | Threat modeling | Access control, vulnerability management | Risk management | Configuration management |
HOW TO USE | Compare CIS standards with system configuration | Use the prescribed techniques for pen tests and threat management | Use guidelines to create policies for data protection | Use the RMF to establish a baseline for security posture | Use example configurations of hardened clusters |
TOOLS | Kubescape | Kubescape | Twistlock | NIST SRE Tools | Kubescape |
However, as they were derived from the threat patterns of different industries, these guidance frameworks are often considered more appropriate for specific use cases rather than as a global standard for keeping any Kubernetes environment secure and compliant.
Kubernetes continues to be the leading container orchestrator, being used or evaluated by used by over 96% of organziations today. While it offers a range of features in managing complex workloads, security and compliance remain a major concern with Kubernetes adoption. Although Kubernetes has rapidly gained unprecedented popularity, it is still a relatively novel platform. As a result, most frameworks do not yet offer focused guidelines toward the security and compliance of a Kubernetes ecosystem. While compliance frameworks evolve further and start doing so, the onus of evaluating vulnerabilities or compliance remains.
With the multiple integrations, built-in components, and processes of a Kubernetes environment, security is a complex undertaking. Although adopting a certain framework’s guidance will suit most organizations, adopting a multi-framework strategy for comprehensive security is also not uncommon. In the end, the goal is always the same: to achieve a robustly secure and compliant Kubernetes cluster that supports highly efficient and scalable applications.
Experience effective, end-to-end, from dev to production, Kubernetes protection:
Manage Kubernetes role-based-access control (RBAC) visually
Eliminate misconfigurations and vulnerabilities from your CICD pipeline – from YAML to cluster
Full Kubernetes security compliance in a single dashboard
I had always wanted to use sidecars with Istio or Splunk forwarder in production, but...
Kubernetes has become the de facto platform for orchestrating containerized applications at scale in today’s...
In the evolving world of software delivery and IT operations, Kubernetes has emerged as the...