Kubernetes GRC - Bridging the Gap between Security and Dynamicity

Implementing Security GRC in any infrastructure is not an easy task. When it comes to Kubernetes Security, it is even more challenging for the following reasons:

• Complexity: The rapidly evolving multi-node, multi-network infrastructure, underlying operating system, and the containerized applications and services make it difficult to comprehend and address the security concerns.
• Rapid configuration changes: As the Kubernetes resources are constantly added, updated, and deleted, it is very easy for the overall configuration to drift from the desired state.
• Lack of automation and continuous monitoring: It is next to impossible to continuously keep track of the Kubernetes Security posture manually.
• Lack of integration: Single cloud, multi-cloud, hybrid-cloud, and on-prem nature of the clusters makes it more difficult to integrate with policy engines and involves multiple security tools.
• Rapidly evolving vulnerabilities and threats: An increase in attack surface and complexity of threat management result in skyrocketing vulnerabilities.
• Lack of visibility into user activity: It is very difficult to track and monitor user activity in a Kubernetes cluster, making it more difficult to identify potential breaches.

With the fast evolution of Kubernetes, complexity of modern cloud-native environments, and the constantly evolving nature of security threats, there arises a need to have a thorough and in-depth process for evaluating the effectiveness of controls and the overall risk posture of not just the Kubernetes clusters, but also of the cloud on which they are running.

Hence, compliance and audit are no longer a once or twice a year checkbox process. Properly securing a Kubernetes cluster requires ongoing attention and maintenance, as new vulnerabilities and threats may arise every minute. It is important to regularly review and update security measures to ensure that the cluster remains secure.

Kubernetes itself provides a number of built-in security features, such as:

• Role-Based Access Control
• Admission Controllers
• Network Policies
• Secrets management
• Encryption of data in transit
• Auditing
• Integrated L7 Ingress Gateways

The question is how to use them effectively.

A single misconfigured resource can lead to significant security incidents. Misconfiguration of the Kubernetes cluster is the biggest reason and contributes to around 80% of the security breaches, according to a Gartner Survey.

Continuous monitoring and recording of these configurations become very important to address the Kubernetes Security concerns and reduce the attack surface.

There are various security and policy enforcement tools, both: open source such as Anchore, Trivy, Falco, and OS-query, and commercial platforms such as Snyk, Aqua Security, Qualys, and StackRox, which help in evaluating the security posture of the Kubernetes infrastructure. However, there are some fundamental challenges in effectively using these tools for security, compliance, and risk management:

• Data overload: Many of these solutions bombard users with a lot of alerts and data. The question becomes how to infer this data.
• Deployment model: Many of these solutions require deployment of agents such as daemon sets or resources to the Kubernetes Cluster, increasing the cost of management.
• Access control: Most of these tools require write access to the clusters: This is an anti-pattern from a security perspective.

We can overcome most of these challenges through automated policy engines. The most well-known open-source policy engines that are part of the CNCF portfolio are OPA, Kyverno, Kubewarden, and Cloud Custodian.

These policy engines provide a layered approach to security and compliance on Kubernetes. However, there are some shortcomings as well:

• Steep learning with OPA: It may be too complex for new users to learn REGO which is the custom policy language used by OPA
• Opinionated policies with Kyverno: Kyverno does a great job of hiding the implementation details; however, it takes a very strong opinionated approach to Kubernetes and, unlike OPA, is not for developing new policies
• Policies beyond Kubernetes infrastructure: Per CNCF Annual Survey 79% of the respondents run on AWS EKS and Azure AKS platforms. Managing security requires customers to manage policies not just within Kubernetes clusters but also across the integrated cloud services.
  For example, Azure AKS integrates with Azure AD for RBAC and JIT access and with Keyvault for secret management. We need to orchestrate across both Kubernetes and non-Kubernetes policy engines. This becomes even more difficult when we have to take application policies for customer applications running on Kubernetes into account.

With all these policy engines and security tools, an average mid-size organization ends up using 50-60 different tools, according to Cisco’s 2020 CISO Benchmark. They realize the need for a single tool that addresses all the concerns and, at the same time, does not throw away the effort and money already spent on Security policy tools.

To effectively solve Kubernetes Security GRC, we not only need to automate but also to continuously monitor, measure and manage security controls. And any solution we take should take an agile approach by choosing the best-of-the-breed products and solutions and by iteratively improving on existing policy automation.

There is a need for a Security platform where you can automate and continuously measure and evaluate the Security Controls. A platform that not only provides you the flexibility to create and deploy your own custom policies in your favorite language but also avoids data overload. A Security solution that provides meaningful insights and signals, which can be consumed easily to create custom reports and dashboards for Security Analysts, CISOs and CIOs.

ComplianceCow allows you to automate security policies with ease and preserve your existing investments in Kubernetes Security solutions such as OPA and Kyverno.
Whether you have Single-Cloud, Multi-Cloud, Hybrid-Cloud, or a complete on-prem Kubernetes Clusters, ComplianceCow provides out-of-the-band evidence collection and security evaluation solutions.