SOC 2 Compliance for Containers and Kubernetes

If you handle customer data, chances are you’ve heard of SOC 2. Perhaps you’ve asked vendors for a SOC 2 report, or you have had to undergo an audit yourself.

Adopting cloud native technologies like containers and Kubernetes presents new compliance challenges with SOC 2. Because containers are ephemeral (containers can be stopped and destroyed, then rebuilt and replaced with an absolute minimum setup and configuration), it can be difficult to identify if you are compliant in the first place or when a container no longer complies.

Fairwinds Insights is software for monitoring, automating and enforcing Kubernetes best practices. Businesses use the security, compliance, and governance controls of Fairwinds Insights to address the SOC 2 scope specific to containers and Kubernetes. Fairwinds Insights provides multi-cluster visibility and policy enforcement, so you can manage SOC 2 compliance for Kubernetes from CI/CD all the way through to production. This enables you to implement controls early in the development process, not just in production — so you always know your latest compliance status.

Here are some examples of how Fairwinds Insights can help organizations with SOC 2.

CC 6.1: Logical access security software, infrastructure, and architectures over protected information assets to protect them from security events.

A component of CC 6.1 is focused on standardizing your infrastructure configuration.

With Fairwinds Insights, Kubernetes administrators can run multiple, automated vulnerability scanning tools to detect whether obvious security holes exist, and whether or not the cluster aligns with industry standards — like the CIS Kubernetes Benchmark .

In addition, policy controls can be built into Fairwinds Insights that apply guardrails to cluster configuration. By setting a policy, you can prevent containers from being deployed from untrusted sources. Fairwinds brings over 100+ out of the box checks around Kubernetes best practices, such as identifying containers running as privileged or as root. In addition, the software includes a pre-built library of custom checks to manage compliance and operational risk, such as requiring labels on deployments. This means containers with customer data moving to production won’t fall out of compliance.

CC 6.6: Logical access security measures to protect against threats from sources outside its system boundaries.

Part of CC 6.6 deals with vulnerability scanning of your infrastructure and application containers. Kubernetes is an open source technology, which means many of the packages and containers that run core Kubernetes workloads may introduce known vulnerabilities. Having a process for inspecting these containers to inventory risk becomes a critical part of achieving SOC 2 compliance.

Fairwinds Insights delivers runtime container scanning, as well as integrations in the CI/CD process. Tracking known vulnerabilities in containers is an essential piece of managing SOC 2 compliance, and these two layers enable organizations to easily establish a vulnerability management program to fulfill SOC 2 requirements. Fairwinds Insights goes a step further by prioritizing findings by severity, giving important guidance to developers and compliance teams around where to focus efforts first.

CC 6.8: Controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.

Monitoring for malicious software and changes to infrastructure is a key part of CC 6.8. In the case of Kubernetes, this includes activities like monitoring who has access to the cluster, locking down RBAC and network policies, as well as leveraging deployment policies to prevent containers from running from untrusted sources.

Fairwinds Insights can help solve pieces of CC 6.8 with runtime container scanning and continuous monitoring of RBAC settings. With RBAC specifically, Fairwinds Insights will identify profiles that may be overly permissive, such as those with the ability to view secrets or escalate permissions. In addition, you can prevent containers from running from untrusted sources by maintaining an “allow list” of trusted registries through customizable policies.

CC 7.1: Detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.

Fairwinds Insights can help you implement a number of specific controls for CC 7.1, including areas like configuration auditing and vulnerability management. At its core, Fairwinds Insights provides vulnerability management capabilities for tracking configuration weaknesses and CVEs from a single control plane. The software provides an audit trail into when issues were first/last seen, and whether they have been resolved or mitigated by the service owner.

Open Policy Agent (OPA) policies enable you to define configuration standards so you can prevent misconfigurations from propagating into production. Fairwinds provides several of these policies out-of-the-box, such as denying deployments with privilege escalation enabled. While Fairwinds defaults to sensible best practices, policies can be customized to fit your organizational needs or allowed exceptions.

Like with other control criteria, Fairwinds integrates container vulnerability scanning in the runtime environment and in CI/CD. Additionally, Fairwinds can run other tools that look for configuration and vulnerability-related issues within the cluster itself.

CC 7.2: Monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.

CC 7.2 is focused on continuous monitoring of the system to ensure any anomalous activity or behavior is surfaced up. With Fairwinds Insights, configuration and vulnerability information is monitored continuously in the cluster, and alerts are sent to downstream systems when new findings are discovered.

Findings can be tracked in the software, with audit trail notes and resolutions saved for future referenceability.

Fairwinds — The Kubernetes Enablement Company | Editor of uptime 99