Don’t let Kubernetes break your SOC2 compliance

Overview

It was said “The world’s most valuable resource is no longer oil, but data.”  Whether this is true or not, data breaches remain one of the top security challenges for modern enterprises . One recent example that shook security professionals is the SolarWinds attack that impacted FireEye and the US Government.: “SolarWinds Supply Chain Attack Led to FireEye, U.S. Government Breaches” 

NeuVector provides enterprise grade security solutions for new cloud infrastructures including platforms like container, Kubernetes, serverless, and more,.  New platforms generate new security risks.  Let’s look at the unique challenges of data protection in Kubernetes production environments, including SOC2 compliance. 

• Kubernetes data protection problems

Financial technology companies and financial services companies are rapidly adopting micro-service architectures to deliver scale, high availability, and cost-savings. This approach makes sense, especially for seasonal business applications. Onceapplications are containerized, customers select one or more Kubernetes platforms from AWS EKS, Microsoft AKS, Google GKE, IBM IKS, OpenShift, VMWare Tanzu or Suse’s Rancher for example.  However, an unexpected problem arose: the Kubernetes-based workloads failed  SOC 2 audits, specifically  DLP audits. The first big hurdle before  production,SOC 2, is a must pass check for any containerized applications which will access PII/sensitive information.  

• SOC 2 compliance requirement

Service Organizational Control (SOC) 2 is an auditing procedure that ensures your service providers (applications) securely manage your data to protect the interests of your organization and the privacy of its clients. For security-conscious businesses, SOC 2 compliance is a minimal requirement when considering a SaaS provider.  SOC 2  compliance is mandatory for all engaged, technology-based service organizations that store client information in the cloud. Such businesses include those that provide SaaS and other cloud services while also using the cloud to store each respective, engaged client’s information. 

SOC 2 audits review the controls relevant to the following five trust service principles, or criteria, as outlined by the AICPA: 

• Security 
• Availability 
• Processing integrity 
• Confidentiality 
• Privacy 

Security is the only criteria required by the AICPA for SOC 2 audits. The other four are optional. It requires that information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage that could compromise the availability, integrity, confidentiality, and privacy of that information or those systems. 

• What is the best approach?

Can any open source technologies or tools help achieve SOC 2 compliance? Unfortunately the answer is no.  Kubernetes itself was designed as an open platform which itself needs to be hardened, tuned and managed. Kubernetes network plugins and service meshes were designed to route low level network traffic.  but they do not have good enough visibility to application and its data.  They can encrypt  traffic, but not protect an application and its data.  Additionally, the Kubernetes platform and its components create new attack surfaces that need to be protected. The recent Kubernetes man-in-the-middle network security issue proves this inherent risk.  Traditional security solutions focus on monitoring  access to gateways and from edges,  but have no visibility into data accessed or stored in the Cloud. Existing DLP solutions cannot see  inside Kubernetes clusters. Security response vendors collect logs and data after a breach,  but cannot provide real-time data protection.  Cloud platforms do provide logging and encryption capabilities, but their shared responsibility model clearly indicates that customers are responsible for protecting their data. 

This security gap brings many customers to NeuVector. As the only Kubernetes DLP solution in the market today, NeuVector helps global enterprises  pass different levels of compliance regulation auditing like GDPR, PCI, HIPPA, NIST and SOC 2.  One fintech customer proclaimed: “NeuVector’s solution is directly hitting my needs!” 

Here’s how we do it:  

• NeuVector and SOC 2 Compliance Let’s look into the details of a SOC 2 auditing requirements. The goal of the regulation is to ensure that acompany has an information security program in effect to protect the Information it receives, processes, transfers, transmits, stores, delivers, and/or otherwise accesses, known as an “Information Security Program.”  NeuVector addresses all the key requirements of SOC 2 to enable our customers to exceed the SOC 2 standard. 

1. Confidentiality and File Integrity Monitoring. 

NeuVector’s process & file system rules will monitor data creation, transformation, use and storage while it flows inside of Kubernetes clusters.  

2. Data Loss Protection 

NeuVector’s patented Data Loss Protection (DLP) functions identify, monitor and protect data in useand data in motion (e.g. network actions). The built-in secret scanning features and its customizable extensions can help inspect data at rest. 

3. Network Security 

NeuVector delivers deep network visibility into Kubernetes clusters, not just at the IP address level. NeuVector safeguards the confidentiality and integrity of all data being transmitted over any form of data network,  enforces ingress and egress controls on Kubernetes clusters, and exceeds industry best practices for securing  Kubernetes environments. 

4. Intrusion Prevention, Systems & Malware defense 

NeuVector has built in threat detection functions which  cover application level network threats like DNS tunneling, SQL injections and more. NeuVector’s policies will lock down behaviors (network, file system, and process)  on any containers and pods and prevent malicious activities. These multiple layers of protection deliver the most effective solution to address both known and unknown attacks. 

5. Vulnerability Management 

NeuVector’s vulnerability management functions scan containers in the CI/CD pipeline, registry and at runtime. Admission control features further enforce security at deployment time. 

6. Incident Response, Logging and Monitoring 

NeuVector’s response rule can be defined to automate  incident response. SIEM integration and webhooks are popular mechanisms for response and recovery as well. NeuVector captures raw data on any sensitive data that was captured by NeuVector DLP.  All Kubernetes security events and logs can be reported and then centrally managed by a global SIEM system with encryption enabled. 

7. Segregation of Duties and environments, Identification, Authentication and Authorization 

NeuVector supports RBAC integration and customizable access control, which limits access to the console. For application workloads, application layer auto-segmentation will separate networks from different workloads, minimizing the possibility of accidental or deliberate compromise of information. 

8. Security system development 

NeuVector follows or provides functions to help customers with more common security practices including user passwords and accounts, secure system development, encryption and PKI etc.  NeuVector’s unique security automation capabilities  like security policy as code streamline the integration of security into the full lifecycle of containerized workloads. 

• Summary

When Kubernetes and container workloads move to production, these applications and their data are the most important digital assets for any business. You cannot rely solely on Kubernetes Network Policies or your cloud provider.  In order to maintain security and achieve compliance, you need the extra layer of protection that NeuVector provides. Financial services companies, and those in other highly regulated industries, turn to NeuVector for the Kubernetes Data Loss Prevention capabilities required to keep their customer information secure and their business audit-ready at all times.