Products | Nov 17, 2021

Kubernetes Security Enhanced with NSA and CISA Guidance

Underscoring the importance and complexity of Kubernetes security, in Aug 2021 the U.S. Government published Kubernetes Hardening Guidance to help Kubernetes users and developers build more secure, resilient systems.  The document was developed at the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA), and targets cloud native systems used in national security contexts but provides practical guidance relevant to anyone.

While teams will ultimately need to implement and enforce these recommendations, automated tools such as Policy as Code can help establish automated guardrails that encourage compliance with minimal effort.

The NSA - CISA Recommendations

The recommendations from the NSA and CISA address three common sources of risk in cloud native applications:

  1. Supply chain risks – cloud native applications are built on top of third-party software such as open source components, the systems used to build the application, Kubernetes itself, and the cloud resources upon which the application runs.  Without proper care, these can expand the attack surface of the application.
  2. Malicious threat actors – national security systems are especially attractive targets for malicious users, but all systems should beware hackers and criminals seeking to exploit cloud systems that contain misconfigurations or vulnerabilities.
  3. Insider threats – not all breaches or security incidents involve malicious intent.  Administrators, privileged users, and cloud service providers often use privileged credentials which can be abused if they are exposed.  Careful consideration of their needs can help you establish privileges that get their job done without exposing too much.

Full details are available in the original document, but recommendations include:

  • Scan containers and pods for vulnerabilities and misconfigurations during the development process, to ensure deployed artifacts are as robust as possible.
  • Provide containers and pods with the least privileges possible in order to successfully do their job.  This limits the opportunity for abuse if they are compromised.
  • Plan network architecture to leverage network separation.  Similar to the principle of least privilege, this helps to control the damage possible after a container or pod has been compromised.
  • Leverage encrypted communication to protect confidentiality.  Service meshes can simplify the use of mTLS, for example.
  • Use firewalls to limit connectivity with the cluster.
  • Use strong authentication and authorization.  Establishing trusted identities enables you to better control the attack surface via access controls and RBAC.
  • Use logs and log auditing.  They not only enable you to detect suspicious events, but they also provide the means for triggering quick response activity. 
  • Regularly review settings, repositories, and deployed systems, leveraging vulnerability scans to identify exposed risks within development pipelines, artifact repositories, containers and pods, and necessary updates.

Policy as Code Simplifies Compliance

Policy as Code establishes compliance policy in the form of source code, so that compliance can be assessed programmatically throughout the lifecycle of the application.  Accurics by Tenable delivers Policy as Code in a convenient SaaS platform with integrations into all phases of the application lifecycle.  Compliance with these new guidelines is as simple as enabling the NSA/CISA policies, and leveraging integrations to assess compliance automatically in your existing development, deployment, and production processes.  As the team goes about their normal work, integrations will validate compliance in the developer’s IDE, ensure the guidelines are followed when code or pull requests are committed to the repository, as container images are built or added to the image repository, even assessed in runtime to ensure deployed containers and configurations are compliant.  It really couldn’t be easier.

To take advantage of these new policies in your projects, please upgrade to release 2.1 today or schedule a free consultation and demo to discuss how Accurics by Tenable can help you achieve better security outcomes.

Security as Code: Accurics Explores DevSecOps at GitLab Commit 2021

Accurics Debut at In Person Community Event

Accurics Named 2021 CRN Emerging Security Vendor to Know

We use cookies to ensure you get the best experience on our website. By continuing to browse this site, you acknowledge the use of cookies.