A Practical Guide to the Different Compliance Kubernetes Security Frameworks and How They Fit Together

This blog was originally published by ARMO here.

Written by Jonathan Kaftzan, ARMO.

TL;DR - Comparing popular Kubernetes security and compliance frameworks, how they differ, when to use, common goals, and suggested tools

The challenge of administering security and maintaining compliance in a Kubernetes ecosystem is typically the same: an increasingly dynamic, changing landscape, be it new approaches of cyberattacks or adhering to changing regulations.

Kubernetes security requires a complex and multifaceted approach since an effective strategy needs to:

• Ensure clean code
• Provide full observability
• Prevent the exchange of information with untrusted services
• Produce digital signatures for clean code and trusted applications

Though security and compliance are often mistaken as two separate requirements, their objectives are the same. While organizations may choose how they administer security, regulatory bodies are the ones who set and enforce mandatory compliance standards. Adhering to these regulations is also crucial in terms of ensuring business continuity, protecting reputation, and determining an application’s level of risk.

To help with this, various institutions offer standardized frameworks and guidelines for administering security in a complex, dynamic Kubernetes ecosystem. This article delves into the popular Kubernetes security guidance frameworks, the principles on which they are built, and the benefits and challenges of adopting them.

Kubernetes Security Guidance Frameworks

Since Kubernetes follows a loosely coupled architecture, securing the ecosystem involves a cross-combination of best practices, tools, and processes. It is also recommended to consider frameworks that issue specific guidelines for easing the complexity of administering the security and compliance of a Kubernetes ecosystem. Such frameworks help organizations create flexible, iterative, and cost-effective approaches to keeping clusters and applications safe and compliant while ensuring optimum performance.

A typical framework’s guidance on Kubernetes security and compliance should essentially consider:

• Architecture best practices
• Security within CI/CD pipelines
• Resource protection
• Container runtime protection
• Supply chain security
• Network security
• Vulnerability scanning
• Secrets management and protection

The foundations of such frameworks are built upon real-world observations. As a result, organizations referring to them remain updated with the changing technology landscape—without losing focus on core organizational goals.

List of Security Guidance Frameworks

As more data-driven applications go cloud-native, organizations are driven to pay more attention to security in order to protect their assets and information. To deal with this, every vendor or organization often develops and adopts its own security practices. Though that's a justified approach, the often-changing dynamics of cybersecurity are missed or unaccounted for. Guidance frameworks, on the other hand, enable organizations to match the expected security standards while enabling easier monitoring of security controls, enhanced team-level accountability, and efficient vulnerability assessment.

In many cases, an organization needs to comply with respective industry standards as part of its regulatory obligations, for instance, HIPAA for healthcare and PCI DSS for finance. While there are a number of frameworks that offer security guidelines for a cloud-native environment, the following are some of the most popular frameworks that offer focused guidance on securing Kubernetes workloads. All of these frameworks are free to use, offered by reputed (and objective) organizations, and have been created based on real-world events and the changing security landscape.

The Center for Internet Security (CIS) Kubernetes Benchmark

Since the mid-2000s, the Center for Internet Security (CIS) has been working closely with the IT community and publishing security benchmarks and best practices. These benchmarks include a detailed guideline that lays the foundation for hardening Kubernetes environments by recommending settings for secure cluster component configurations. CIS also lists tools that automatically check cluster resources to see if they comply with the set benchmarks and raise alerts for non-compliant components.

Leveraging CIS Benchmarks for Kubernetes Security

Securing clusters starts with identifying the Kubernetes distribution and referring to the related best practice recommendations per the CIS benchmark. The best practices are then prioritized according to recommendation level:

• Level 1 recommendations are practical and prudent, provide clear security benefits, and do not interfere with Kubernetes usage or the platform.
• ‍Level 2 recommendations are applied to mission-critical environments for deeper defense measures that typically inhibit the performance of the platform.

Recommendations are scored based on how much a failure-to-comply will affect the final benchmark score. The security team then outlines the values that specify the status of the recommendations in production.

Benefits and Drawbacks

Some benefits of the CIS Benchmark for Kubernetes include:

• Simplifies configuration management
• Suitable for all open-source Kubernetes distributions
• Standardizes efforts to minimize the attack surface
• Enables cluster-wide vulnerability scanning

One of the major drawbacks of the CIS benchmark is that it offers general guidance and may misrepresent certain use cases. As a result, on account of the strict blueprint of the CIS benchmark, organizations may miss assessing certain security misconfigurations or give more weight to those that aren’t relevant to their use case.

CIS Security Guidance - How to Use

CIS Security Benchmarks are globally acknowledged security standards for defending web applications. CIS also offers tools, such as CIS-CAT, that enable security teams to compare system configurations with CIS standards. Besides this, Kube-Bench is also a popular open-source tool for running CIS benchmark tests on Kubernetes workloads.

The MITRE ATT&CK® Framework for Kubernetes

The MITRE ATT&CK framework is a comprehensive knowledge base built on various hacking mechanisms and tactics based on real-world events. The framework forms the foundation for an organization’s threat model by simulating adversary behavior and mitigation practices. While MITRE outlines various matrices for niche domains, such as Cloud, Windows, etc., the Kubernetes framework focuses on various phases of an attack lifecycle exploiting Kubernetes platforms.

The MITRE ATT&CK Matrix for Kubernetes

MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) outlines various attack mechanisms commonly leveraged by attack vectors in a Kubernetes ecosystem, including:

• Initial Access - Techniques that can be exploited to enable first access to the cluster, e.g.:
  • Weak cloud credentials
  • Compromised registry images
  • Kubeconfig
  • Vulnerable applications
  • Exposed dashboard
• Execution - Typically involves running malicious code inside the cluster using tactics, e.g.:
  • Executing into a container
  • Building a new container
  • Application exploit
  • Running an SSH Server inside the container
• Persistence - Tactics to keep accessing the cluster even when hackers lose their initial foothold, e.g.:
  • Exploiting a backdoor container
  • Writeable hostPath mount
  • Kubernetes CronJob
• Privilege escalation - Once inside the environment, attackers leverage several techniques to access higher privileges, e.g.:
  • Privileged containers
  • Cluster-admin binding
  • hostPath mount
  • Access to cloud resources
• Defense evasion - To hide their presence, attackers avoid detection using stealth tactics, e.g.:
  • Clearing container logs
  • Deleting Kubernetes events
  • Using a similar Pod name
  • Connecting from a proxy server
• Credential access - Attempting to hack into more accounts by:
  • Listing Kubernetes secrets
  • Mounting service principals
  • Accessing container service accounts
  • Accessing credentials in config files
• Discovery - Exploiting compromised Kubernetes environment through:
  • Accessing the Kube-API Server
  • Accessing the Kubelet API
  • Network mapping
  • Accessing the Kubernetes dashboard
  • Checking the cloud instance metadata API
• Lateral Movement - Navigate and exploit the compromised environment by:
  • Accessing cloud resources
  • Using the container service account
  • Using cluster internal networking to reach other containers
  • Reading writable mounts on the nodes
  • Accessing the Kubernetes dashboard
• Impact - Hackers destroy, abuse, or disrupt the ecosystem by:
  • Destroying data
  • Hijacking resources
  • Denial-of-service

The ATT&CK matrix is particularly popular due to the level of depth each tactic goes into. By regularly updating the threat models, the MITRE matrix considers regular industry trends to build a comprehensive list of cyberattack techniques and sub-techniques.

Benefits and Drawbacks

Some benefits of the MITRE ATT&CK framework include:

• Enforces continuous, automated security testing
• Suggests preemptive actions to identify and mitigate vulnerabilities
• Curated list of adversary tactics based on industry inputs
• Up-to-date list of emerging hacking techniques and security landscape

However, due to the amount of adversary data, techniques, and sub-techniques, the MITRE ATT&CK framework is large, complex, and often costly to implement. The framework is also less comprehensive when compared with CIS and often may offer ambiguous approaches rather than proposing exact steps to protect/evaluate a security control.

MITRE ATT&CK Matrix - How to Use

The matrix lists various attack tactics that can potentially compromise a cloud-native environment based on real-world observations. By offering Indicators of Compromise and Indicators of Attack, the list helps security teams identify and study the mechanisms used by hackers across various stages of a cyber attack. The matrix also offers an adversarial approach that can be used by penetration testers, security defenders, cyber intelligence teams, red teams, and internal teams to create robust threat models and improve security posture. Besides adopting the practices outlined by the framework, organizations can also leverage open-source tools like Kubescape by ARMO, which follows MITRE guidance to specifically harden Kubernetes clusters.

PCI DSS Compliance for Kubernetes

The Payment Card Industry Data Security Standard (PCI DSS) compliance framework outlines the technical and operational requirements to enable security and data protection for the payment industry. PCI DSS compliance is based on the following principles:

• Build and maintain a secure network system
• Secure cardholder data
• Develop and maintain vulnerability management programs
• Administer robust access control measures
• Regular observability and debugging of networks
• Periodic update and maintenance of information security policies

PCI DSS Cloud Computing Guidelines

An inherent challenge with respect to open-source packaging, container lifespan, and container sprawl is that certain attributes complicate regulatory compliance in a Kubernetes environment. To help simplify this, the PCI DSS framework outlines focused goals that are relevant to Kubernetes, including:

• Identify all connections between the card data environment and other networks
• Restrict connections with untrusted networks using firewalls and router connections
• Develop configuration standards for all system components
• Secure cryptographic key distribution
• Separate development and production environments
• Deploy change-detection mechanisms

Organizations adopting the cloud are often wary of the challenges in maintaining PCI DSS compliance. This is because containers are built to communicate with several other components of the platform when processing transactions, thereby relying on a complex intercontainer network. It is also recommended that when embracing PCI standards, organizations do not end their security and compliance efforts with containers but instead make sure that orchestrators, such as Kubernetes, are equally weighed.

Benefits & Drawbacks

Adopting the PCI DSS compliance framework for Kubernetes brings a number of benefits to organizations, including:

• Enforces data protection and privacy
• Efficient assessment of existing security posture and vulnerabilities
• Adopts the universal standard for a payment’s platform
• Achieves compliance

‍One commonly observed challenge with adopting the PCI DSS framework is that it involves numerous specifications that typically differ for different organizations. All requirements listed as part of the PCI DSS standards are mandatory and extremely technical, requiring niche skills to implement. Besides this, vendors usually offer partial support for PCI DSS guidance adoption by complying with specific parts of the guidance. This requires a collection of different entities that follow best practices for their respective domains to ensure comprehensive compliance with the PCI DSS security framework.

PCI DSS Security Guidance - How to Use

PCI DSS outlines various computing guidelines that organizations should follow to be compliant. These guidelines apply to all organizations that store, process, or transmit cardholder data such as payment gateways, banks, merchants, and developers.

NIST Application Container Security Framework

The National Institute of Standards and Technology (NIST) publishes a special Risk Management Framework for containers and containerized environments. This publication, also known as the NIST Application Container Security Guide, highlights security risks associated with containerized applications and practical recommendations to address them.

Risks, Countermeasures, and Considerations for the Container Technology Life Cycle

NIST categorizes security risks for containerized technologies across multiple layers of a platform, including:

• Image Risks
  • Embedded clear text secrets
  • Image misconfiguration
  • Use of untrusted images
  • Image vulnerabilities
• Registry Risks
  • Insecure connections
  • Stale images
  • Insufficient authorization and authentication
• Orchestrator Risks
  • Unbounded administrative access
  • Poor isolation for inter-container traffic
  • Mixed sensitivity levels
  • Orchestrator node trust
• Container Risks
  • Runtime vulnerabilities
  • Insecure runtime configurations
  • App vulnerabilities
  • Rogue containers
• Host OS Risks
  • Large attack surface
  • Shared kernel
  • Improper access rights
  • File system tampering

Countermeasures and NIST recommended practices for a secure container orchestration include:

• Tailor organizational culture to be aligned with container security best practices
• Use container-focused operating systems
• Group containers with the same sensitivity, purpose, and risk profile within the same kernel
• Adopt vulnerability scanning and management tools that are container-focused
• Use context-aware runtime security tools
• Integrate hardware-based security countermeasures

Benefits & Drawbacks

Adopting the NIST security framework for containers helps organizations via several benefits, including:

• Trusted, standard methodologies for risk management
• Helps organizations assess areas where the Kubernetes ecosystem requires hardened security controls
• Helps prioritize the level of rigor in security control mechanisms

‍A drawback of the NIST security framework is that it includes requirements that can be approached in multiple ways, making it difficult to identify the specific controls needed to ensure compliance.

NIST Security Framework - How to Use

The NIST Cybersecurity Framework is a voluntary standard that can be adopted by any IT organization leveraging container-led workflows. The NIST Risk Management Framework includes guidelines on how to conduct a comprehensive risk assessment, with a baseline integrated into the organization's security strategy, before implementing security controls.

The National Security Agency - Cybersecurity and Infrastructure Security Agency (NSA-CISA) Kubernetes Hardening Guide

NSA offers general guidance on technical cybersecurity to help enterprises (in both the private and public sector) harden Kubernetes clusters and applications. The guidance includes the security challenges teams face when setting up Kubernetes clusters and strategies to avoid known misconfigurations. The report includes recommendations for comprehensive cluster hardening, such as:

Pod Security

• Use containers built as non-root users to host applications
• Adopt image scanners to find vulnerabilities and misconfigurations in containerized applications
• Use immutable file systems for containers
• Leverage pod security policies to enforce minimum security levels

Network Separation & Hardening

• Use a firewall and RBAC for access controls
• Secure the etcd server
• Administer TLS authentication to restrict access to control plane components
• Isolate resources using network policies
• Use Kubernetes secrets to store sensitive information like credentials

Authentication and Authorization

• Disable anonymous logins
• Enforce strong authentication policies
• Use RBAC policies to limit account activity

Audit Logging

• Enable audit logging
• Persist logs for application availability
• Set up a metrics logging platform

Upgrading and Application Security Practices

• Regularly apply security patches and updates
• Perform penetration tests and vulnerability scans periodically
• Remove redundant/non-essential components from the Kubernetes environment

Benefits & Drawbacks

Benefits of using the NSA-CISA Kubernetes hardening guide include:

• A threat modeling framework recommended for an entire supply chain for comprehensive security
• Impactful guidance and remediation for insider threats

A major drawback of the NSA-CISA framework is that it does not include recommendations for container lifecycle security management.

NSA-CISA Kubernetes Hardening Guide - How to Use

The NSA-CISA guidance outlines vulnerabilities within a Kubernetes ecosystem while recommending best practices on configuring a cluster for robust security. With recommendations on vulnerability scanning, identifying misconfigurations, log auditing, and authentication, the report ensures that common security challenges are appropriately addressed to mitigate risks. Besides adopting the practices outlined by the framework, organizations can also leverage open-source tools like Kubescape by ARMO, which follows the NSA-CISA guidance to specifically harden Kubernetes clusters.

Kubernetes Security Frameworks - Quick Comparison

Kubernetes guidance frameworks help define executive processes by outlining how organizations can maintain robust security and remain compliant. Each of the frameworks discussed above offers a unique approach to categorize various components of a Kubernetes ecosystem, as well as guidance on how to keep them secure. While emphasizing a proactive approach to mitigating risks, each framework essentially highlights the importance of efficient vulnerability scanning and comprehensive threat modeling as key practices in enhancing an organization’s security posture.

Also, because of their focus on cybersecurity and Kubernetes cluster hardening, these frameworks do have a few overlapping features and principles.

Security Frameworks

However, as they were derived from the threat patterns of different industries, these guidance frameworks are often considered more appropriate for specific use cases rather than as a global standard for keeping any Kubernetes environment secure and compliant.

• The CIS Kubernetes Framework offers benchmarks as guidelines for the secure configuration of cluster components.
• The MITRE ATT&CK Matrix is mostly based on threat modeling, which offers adversarial insights and tactics on how organizations can secure their Kubernetes workloads post-compromise.
• PCI DSS is a payment industry security standard and focuses on how to secure containers and the Kubernetes ecosystem of the cardholder’s data environment.
• The NIST Framework is particularly concerned with risk management and outlines common risks for containerized applications and their countermeasures.
• The NSA-CISA Framework offers guidance on hardening Kubernetes clusters with an emphasis on configuration management, the entire lifecycle of a supply chain, and insider threats.

Summary

Kubernetes continues to be the leading container orchestrator, used by over 74% of IT companies today with containerized workloads in production. While it offers a range of features in managing complex workloads, security and compliance remain a major concern with Kubernetes adoption. Although Kubernetes has rapidly gained unprecedented popularity, it is still a relatively novel platform. As a result, most frameworks do not yet offer focused guidelines toward the security and compliance of a Kubernetes ecosystem. While compliance frameworks evolve further and start doing so, the onus of evaluating vulnerabilities or compliance remains.

With the multiple integrations, built-in components, and processes of a Kubernetes environment, security is a complex undertaking. Although adopting a certain framework’s guidance will suit most organizations, adopting a multi-framework strategy for comprehensive security is also not uncommon. In the end, the goal is always the same: to achieve a robustly secure and compliant Kubernetes cluster that supports highly efficient and scalable applications.