What is RCE in Kubernetes?
A detailed overview of the Remote Code Execution (RCE) attacks, how it affects the Kubernetes...
Oct 6, 2021
The challenge of administering security and maintaining compliance in a Kubernetes ecosystem is typically the same: an increasingly dynamic, changing landscape, be it new approaches of cyberattacks or adhering to changing regulations.
Kubernetes security requires a complex and multifaceted approach since an effective strategy needs to:
Though security and compliance are often mistaken as two separate requirements, their objectives are the same. While organizations may choose how they administer security, regulatory bodies are the ones who set and enforce mandatory compliance standards. Adhering to these regulations is also crucial in terms of ensuring business continuity, protecting reputation, and determining an application’s level of risk.
To help with this, various institutions offer standardized frameworks and guidelines for administering security in a complex, dynamic Kubernetes ecosystem. This article delves into the popular Kubernetes security guidance frameworks, the principles on which they are built, and the benefits and challenges of adopting them.
Since Kubernetes follows a loosely coupled architecture, securing the ecosystem involves a cross-combination of best practices, tools, and processes. It is also recommended to consider frameworks that issue specific guidelines for easing the complexity of administering the security and compliance of a Kubernetes ecosystem. Such frameworks help organizations create flexible, iterative, and cost-effective approaches to keeping clusters and applications safe and compliant while ensuring optimum performance.
A typical framework’s guidance on Kubernetes security and compliance should essentially consider:
The foundations of such frameworks are built upon real-world observations. As a result, organizations referring to them remain updated with the changing technology landscape—without losing focus on core organizational goals.
As more data-driven applications go cloud-native, organizations are driven to pay more attention to security in order to protect their assets and information. To deal with this, every vendor or organization often develops and adopts its own security practices. Though that’s a justified approach, the often-changing dynamics of cybersecurity are missed or unaccounted for. Guidance frameworks, on the other hand, enable organizations to match the expected security standards while enabling easier monitoring of security controls, enhanced team-level accountability, and efficient vulnerability assessment.
In many cases, an organization needs to comply with respective industry standards as part of its regulatory obligations, for instance, HIPAA for healthcare and PCI DSS for finance. While there are a number of frameworks that offer security guidelines for a cloud-native environment, the following are some of the most popular frameworks that offer focused guidance on securing Kubernetes workloads. All of these frameworks are free to use, offered by reputed (and objective) organizations, and have been created based on real-world events and the changing security landscape.
Since the mid-2000s, the Center for Internet Security (CIS) has been working closely with the IT community and publishing security benchmarks and best practices. These benchmarks include a detailed guideline that lays the foundation for hardening Kubernetes environments by recommending settings for secure cluster component configurations. CIS also lists tools that automatically check cluster resources to see if they comply with the set benchmarks and raise alerts for non-compliant components.
Securing clusters starts with identifying the Kubernetes distribution and referring to the related best practice recommendations per the CIS benchmark. The best practices are then prioritized according to recommendation level:
Recommendations are scored based on how much a failure-to-comply will affect the final benchmark score. The security team then outlines the values that specify the status of the recommendations in production.
Some benefits of the CIS Benchmark for Kubernetes include:
One of the major drawbacks of the CIS benchmark is that it offers general guidance and may misrepresent certain use cases. As a result, on account of the strict blueprint of the CIS benchmark, organizations may miss assessing certain security misconfigurations or give more weight to those that aren’t relevant to their use case.
CIS Security Benchmarks are globally acknowledged security standards for defending web applications. CIS also offers tools, such as CIS-CAT, that enable security teams to compare system configurations with CIS standards. Besides this, Kube-Bench is also a popular open-source tool for running CIS benchmark tests on Kubernetes workloads.
The MITRE ATT&CK framework is a comprehensive knowledge base built on various hacking mechanisms and tactics based on real-world events. The framework forms the foundation for an organization’s threat model by simulating adversary behavior and mitigation practices. While MITRE outlines various matrices for niche domains, such as Cloud, Windows, etc., the Kubernetes framework focuses on various phases of an attack lifecycle exploiting Kubernetes platforms.
MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) outlines various attack mechanisms commonly leveraged by attack vectors in a Kubernetes ecosystem, including:
The ATT&CK matrix is particularly popular due to the level of depth each tactic goes into. By regularly updating the threat models, the MITRE matrix considers regular industry trends to build a comprehensive list of cyberattack techniques and sub-techniques.
Some benefits of the MITRE ATT&CK framework include:
However, due to the amount of adversary data, techniques, and sub-techniques, the MITRE ATT&CK framework is large, complex, and often costly to implement. The framework is also less comprehensive when compared with CIS and often may offer ambiguous approaches rather than proposing exact steps to protect/evaluate a security control.
The matrix lists various attack tactics that can potentially compromise a cloud-native environment based on real-world observations. By offering Indicators of Compromise and Indicators of Attack, the list helps security teams identify and study the mechanisms used by hackers across various stages of a cyber attack. The matrix also offers an adversarial approach that can be used by penetration testers, security defenders, cyber intelligence teams, red teams, and internal teams to create robust threat models and improve security posture. Besides adopting the practices outlined by the framework, organizations can also leverage open-source tools like Kubescape by ARMO, which follows MITRE guidance to specifically harden Kubernetes clusters.
The Payment Card Industry Data Security Standard (PCI DSS) compliance framework outlines the technical and operational requirements to enable security and data protection for the payment industry. PCI DSS compliance is based on the following principles:
An inherent challenge with respect to open-source packaging, container lifespan, and container sprawl is that certain attributes complicate regulatory compliance in a Kubernetes environment. To help simplify this, the PCI DSS framework outlines focused goals that are relevant to Kubernetes, including:
Organizations adopting the cloud are often wary of the challenges in maintaining PCI DSS compliance. This is because containers are built to communicate with several other components of the platform when processing transactions, thereby relying on a complex intercontainer network. It is also recommended that when embracing PCI standards, organizations do not end their security and compliance efforts with containers but instead make sure that orchestrators, such as Kubernetes, are equally weighed.
Adopting the PCI DSS compliance framework for Kubernetes brings a number of benefits to organizations, including:
One commonly observed challenge with adopting the PCI DSS framework is that it involves numerous specifications that typically differ for different organizations. All requirements listed as part of the PCI DSS standards are mandatory and extremely technical, requiring niche skills to implement. Besides this, vendors usually offer partial support for PCI DSS guidance adoption by complying with specific parts of the guidance. This requires a collection of different entities that follow best practices for their respective domains to ensure comprehensive compliance with the PCI DSS security framework.
PCI DSS outlines various computing guidelines that organizations should follow to be compliant. These guidelines apply to all organizations that store, process, or transmit cardholder data such as payment gateways, banks, merchants, and developers.
The National Institute of Standards and Technology (NIST) publishes a special Risk Management Framework for containers and containerized environments. This publication, also known as the NIST Application Container Security Guide, highlights security risks associated with containerized applications and practical recommendations to address them.
NIST categorizes security risks for containerized technologies across multiple layers of a platform, including:
Countermeasures and NIST recommended practices for a secure container orchestration include:
Adopting the NIST security framework for containers helps organizations via several benefits, including:
A drawback of the NIST security framework is that it includes requirements that can be approached in multiple ways, making it difficult to identify the specific controls needed to ensure compliance.
The NIST Cybersecurity Framework is a voluntary standard that can be adopted by any IT organization leveraging container-led workflows. The NIST Risk Management Framework includes guidelines on how to conduct a comprehensive risk assessment, with a baseline integrated into the organization’s security strategy, before implementing security controls.
NSA offers general guidance on technical cybersecurity to help enterprises (in both the private and public sector) harden Kubernetes clusters and applications. The guidance includes the security challenges teams face when setting up Kubernetes clusters and strategies to avoid known misconfigurations. The report includes recommendations for comprehensive cluster hardening, such as:
Benefits of using the NSA-CISA Kubernetes hardening guide include:
A major drawback of the NSA-CISA framework is that it does not include recommendations for container lifecycle security management.
The NSA-CISA guidance outlines vulnerabilities within a Kubernetes ecosystem while recommending best practices on configuring a cluster for robust security. With recommendations on vulnerability scanning, identifying misconfigurations, log auditing, and authentication, the report ensures that common security challenges are appropriately addressed to mitigate risks. Besides adopting the practices outlined by the framework, organizations can also leverage open-source tools like Kubescape by ARMO, which follows the NSA-CISA guidance to specifically harden Kubernetes clusters.
Kubernetes guidance frameworks help define executive processes by outlining how organizations can maintain robust security and remain compliant. Each of the frameworks discussed above offers a unique approach to categorize various components of a Kubernetes ecosystem, as well as guidance on how to keep them secure. While emphasizing a proactive approach to mitigating risks, each framework essentially highlights the importance of efficient vulnerability scanning and comprehensive threat modeling as key practices in enhancing an organization’s security posture.
Also, because of their focus on cybersecurity and Kubernetes cluster hardening, these frameworks do have a few overlapping features and principles.
However, as they were derived from the threat patterns of different industries, these guidance frameworks are often considered more appropriate for specific use cases rather than as a global standard for keeping any Kubernetes environment secure and compliant.
Kubernetes continues to be the leading container orchestrator, used by over 74% of IT companies today with containerized workloads in production. While it offers a range of features in managing complex workloads, security and compliance remain a major concern with Kubernetes adoption. Although Kubernetes has rapidly gained unprecedented popularity, it is still a relatively novel platform. As a result, most frameworks do not yet offer focused guidelines toward the security and compliance of a Kubernetes ecosystem. While compliance frameworks evolve further and start doing so, the onus of evaluating vulnerabilities or compliance remains.
With the multiple integrations, built-in components, and processes of a Kubernetes environment, security is a complex undertaking. Although adopting a certain framework’s guidance will suit most organizations, adopting a multi-framework strategy for comprehensive security is also not uncommon. In the end, the goal is always the same: to achieve a robustly secure and compliant Kubernetes cluster that supports highly efficient and scalable applications.
A detailed overview of the Remote Code Execution (RCE) attacks, how it affects the Kubernetes...
All the main K8s vulnerabilities from 2022 consolidated into one article. Read all about it...
A first of its kind survey looks at the relationship between open-source and K8s security....