Container Security: Compliance with NeuVector by SUSE
Compliance is top-of-mind for most organizations. Maintaining compliance in container environments is a new challenge that requires special consideration. NeuVector can help you navigate the maze of compliance regulations and ensure that you meet or exceed expectations for common standards like PCI-DSS, HIPAA, and GDPR.
The NeuVector Container Security Platform provides supply chain security and runtime security with zero trust controls for container-based deployments. This enables organizations to protect sensitive data and demonstrate compliance efforts to regulators. By implementing Data Loss Prevention (DLP) systems that monitor both internet-bound and internal data communications from containers, the risk of breach can be dramatically reduced. NeuVector uses deep packet inspection (DPI) to inspect the network payload of container communications. Built-in and custom DLP sensors can be enabled to detect potential policy violations, with alerts and visualization.Applying a defense-in-depth plan, with NeuVector as the foundation, which includes end-to-end vulnerability management, configuration auditing through CIS benchmarks, and container DLP protection in Kubernetes environments provides the peace of mind that comes with full visibility into the presence and security of sensitive data, and the capabilities required to verify and maintain compliance.
NeuVector is uniquely positioned to help organizations enforce major compliance standards.
- End-to-end vulnerability scanning in the CI/CD pipeline and into production.
- A vulnerability and compliance management tool to identify and remediate the most critical risks.
- Configuration auditing and compliance with standards based
- CIS Benchmarks and custom checks to prevent misconfigurations of container infrastructures.
- Unique network segmentation and container firewall technology to detect threats, block attacks, and capture forensic network data.
- Pre-configured compliance templates to identify issues and generate audit reports
Enterprises seeking to leverage containers and microservices in compliance with the Payment Card Industry Data Security Standard (PCI DSS) will find some advantageous synergies between the regulations and the technologies – but also some aspects that require particularly careful attention.
Container environments raise PCI DSS compliance challenges in the areas of monitoring, establishing security controls, and limiting the scope of the Cardholder Data Environment (CDE) with network segmentation. Because of containers’ ephemeral nature – spinning up and down quickly and dynamically, and often only existing for a number of minutes – monitoring and security solutions must be active in real-time and able to automatically respond to rapidly transforming attacks.
Because most container traffic is internal “east-west” communication between containers, traditional firewalls and security systems designed to vet north-south traffic are blind to nefarious threats that may escalate within the container environment. And, the use of containers can actually increase the CDE, requiring critical protections for the entire microservices environment unless limited by a container firewall, like that in NeuVector, able to fully visualize and tightly control its scope.
Healthcare organizations under the purview of HIPAA regulations realize that demonstrable security is crucial to avoid regulatory action, steep fines, and reputational harm. But Kubernetes and containerized environments raise new questions about compliance-focused security processes.
Data breaches typically use the network to gain entry, expand, and ultimately steal data. But how can this suspicious activity be detected in a container network? The answer lies in network-based container segmentation and DLP strategies. Getting this right enables healthcare organizations to protect their new Kubernetes environments in accordance with HIPAA mandates.
Protecting sensitive data always starts with best practices for vulnerability management and configuration auditing. But in a production environment, protecting containers from exploits and data breaches requires cloud-native network security designed to protect the Kubernetes network. This is where NeuVector adds additional value.
With a container DLP strategy, healthcare firms can introduce the detection capabilities and security policy enforcement needed to identify potential exposures of PHI data and prevent data breaches – both those that are malicious and accidental.
For organizations with modern cloud-native deployments including containers and Kubernetes, GDPR can be confusing for both security and compliance teams. While GDPR contains many provisions which are outside the scope of cyber security teams, its basic data protection and breach reporting requirements directly impact cyber security efforts.
GDPR compliance for cyber security teams really means implementing best practices for defense in depth. In a containerized Kubernetes environment, there are new practices as well as modifications of traditional ones required to protect GDPR data. Security teams must be able to demonstrate that they use state of the art technical controls to prevent breaches. After a breach, this reporting would include segmentation (firewall) rules, forensic data, vulnerability scans results and documented processes to monitor and log access to all systems. In NeuVector, the firewall, process, and file rules can be shown in the console or in version-controlled NeuVector CRD yaml files which are used to implement‘Security as Code.’
Security teams can also demonstrate how unauthorized connections are detected, blocked, logged, alerted, and packet captured in NeuVector. You can monitor all channels for data breaches including file shares, social networks, web applications, gateways, api services, and blogs. In a container environment, especially where public cloud, hybrid cloud, and multi-cluster architectures are used, even east-west (internal) traffic needs to be monitored because there is a blurring distinction (or even no notion) of a data center edge in modern IT environments.
NeuVector: Full Lifecycle Cloud Container Security Platform
NeuVector is the only 100% open source, Zero Trust container security platform. Continuously scan throughout the container lifecycle, remove security roadblocks, & bake in security policies at the start to maximize developer agility. Get started on kubernetes security by getting NeuVector on GitHub.