Enforcing Cloud-Native Security With CIS Benchmarks for K8s Using PaC

There is a rapid growth in the adoption of cloud-native technology. According to Techjury, 61% of organizations migrated their workloads to the cloud in 2020. The cloud infrastructure market is projected to grow by $461 billion by the last quarter of 2025 - 17.5% Compound Annual Growth Rate (CAGR).

Organizations prefer the cloud-native infrastructure to the traditional option given the many benefits of the former. It improves the agility and elasticity of business using container technology, microservices, DevOps tools, and third-party solutions to optimize and accelerate the development and deployment of applications.

Even though the cloud-native architecture is widely embraced by enterprises around the world, security is still a major challenge when dealing with Kubernetes clusters. For every organization, improving Kubernetes security is a top priority. The State of Containers and Kubernetes Security Report in 2020 by StackRox reveals that security incidents are high and close to 50% of respondents have delayed operations due to security concerns.

Consequently, you can approach Kubernetes security from diverse angles. One of these security reinforcement approaches is implementing CIS benchmarks for Kubernetes. Let’s take a look at what CIS Benchmark is and how it can enable you to enforce cloud-native security using policy-as-code.

What is CIS Benchmark?

Center for Internet Security (CIS) Benchmark is a set of security best practices for setting up IT systems, software, networks, and cloud infrastructure with maximum security. The Benchmarks are published by the Center for Internet Security (CIS) and there are over 140 CIS Benchmarks, covering seven major technology categories - spelling out detailed security best practices for each.

These sets of security best practices are put together by groups of cybersecurity professionals and industry experts across the globe. They, through consensus-based processes, set these standards and every contributor continues to identify, refine, and validate cybersecurity procedures under their areas of expertise.

Why is it Important?

Due to the rise in Kubernetes security incidents, there is a need for regularly updated, comprehensive best practices for securing every part of the cloud infrastructure. That said, here’re the benefits of CIS Benchmarks:

1- Current Guidelines

The cloud service environments are rapidly evolving and so are malicious cyber actors who ceaselessly scour the cloud for vulnerabilities. Setting up Kubernetes clusters using updated benchmarks helps organizations tighten up potential loopholes and avoid other configuration mistakes that could leave their systems vulnerable.

2- Reduction in Attack Surface

Implementing CIS Benchmarks enhances the overall security framework within the cloud investments of enterprises and significantly minimizes the attack surface of the containers and Kubernetes clusters. This is because the best practices outlined in CIS Benchmarks raise the bar for security professionals and enable them to reduce the number of vulnerabilities - via proper configurations.

3- Improved Monitoring and Reporting

With the benchmarks, IT professionals can develop ongoing monitoring and reporting strategy for implementing cloud solutions and compliance assessments. It enables different IT teams (within the same organization) to adopt unique security best practices to suit their internal requirements for secure Kubernetes deployments.

4- Recommendations of Global Community of IT and Cybersecurity Experts

CIS Benchmarks result from the contributions of industry leaders and experts in various fields of cyber security. Implementing these recommendations entails tapping into the knowledge and experience of the community of IT and cybersecurity experts which wouldn’t be available to every organization ordinarily.

5- Enhanced Operational Efficiency

The CIS recommendations make deploying configurations easy and sustainable for security professionals. Even for organizations with robust Kubernetes security guidelines, using CIS Benchmark as a reference or secondary guideline can help them optimize their cloud security procedures - leading to improved operational efficiency. 

CIS Kubernetes Benchmarks

The CIS Kubernetes Benchmarks are a set of recommendations for configuring Kubernetes to ensure high-security standards. The recommendations are consensus-based, best-practice security configuration guides that are widely accepted by the government, business, academia, and industry. The CIS Kubernetes Benchmarks Covers the Following:

1- Control Plane Components

This part of CIS Kubernetes Benchmarks provides recommendations for the direct configuration of Kubernetes control plane processes - including the API Server, etc, and Container Network Interface (CNN). You may not directly apply these recommendations to cluster operators in environments where the components are taken care of by a third party The recommendations apply to the following:

• Master Node Configuration Files: 21 recommendations.
• API Server: 35 recommendations.
• Controller Manager: 7 recommendations.
• Scheduler: 2 recommendations.

2- etcd

This section covers recommendations for etcd configuration. The recommendations include:

• Set the --cert-file and --key-file arguments to appropriate.
• Set the --client-cert-auth argument to true.
• Make sure the --auto-tls argument is not set to true.
• Make sure the --peer-cert-file and --peer-key-file arguments are set as appropriate.
• Configure --peer-client-cert-auth argument as true.
• Configure --peer-auto-tls argument as true.
• Use a unique Certificate Authority for etcd.

3- Control Plane Configuration

This section deals with recommendations for cluster-wide areas, like authentication and logging. It is different from section 1 because the recommendations apply to all deployments. It covers the following:

• Authentication and Authorization.

• Make sure client certificate authentication is not used for users.

• Logging.

• Ensure that a minimal audit policy is created.
• Make sure the audit policy covers key security concerns.

4- Worker Nodes

Here, there are recommendations for the components that run on Kubernetes worker nodes. They also apply to master nodes in cases where the master nodes make use of these components. The recommendations covers:

• Worker Node Configuration Files: 10 recommendations.
• Kubelet: 13 recommendations.

5- Policies

The policies section features recommendations for various Kubernetes policies which are crucial to the security of the environment. The recommendations include:

• RBAC and Service Accounts: 6 recommendations.
• Pod Security Policies: 9 recommendations.
• Network Policies and CNI: 2 recommendations.
• Secretes Management: 2 recommendations.
• Extensible Admission Control: 1 recommendation.
• General Policies: 4 recommendations.

Implementing CIS Kubernetes Benchmarks Using Policy-as-Code

Policy-as-code is the concept of writing code in a high-level language for controlling, managing, and automating policies. This software development approach helps organizations to implement development best practices, like version control, automated testing, and automated deployment. Since best practices are automated, the chances of developing solutions using non-conforming resources are low.

Implementing CIS Kubernetes Benchmarks using the policy-as-code development approach will further reinforce the security best practices and help enterprises to adopt security postures that are difficult to compromise. Policy-as-Code helps to automate the deployment of CIS recommendations. 

Benefits of implementing CIS Kubernetes Benchmarks using policy-as-code are:

1- Minimal Human Errors: One major benefit of automated deployment of best practices is that human errors will be significantly reduced, thereby minimizing the risks of security breaches due to misconfigurations.

2- Time-Saving: CIS Benchmarks are massive; consequently, it’s time-consuming to implement. The latest version of the CIS recommendations has about 271 pages. Automating these checks goes a long way in saving time.

3- Easy Monitoring and Reporting: With policy-as-code, you can automatically check your infrastructure against the settings and controls outlined in the CIS Benchmarks to identify insecure configurations.

4- Improved Security: Acts as a good starting point to ensure best security practices are applied to Kubernetes, including implementing network policies, role-based access control (RBAC) settings, admin privileges, among many more.

Conclusion

CIS Kubernetes Benchmark is a reliable document used by thousands of organizations to harden their security posture and reduce Kubernetes security incidents. Each CIS Benchmark is thoroughly reviewed before and after publishing by subject matter experts who offer perspectives from diverse backgrounds including technology, government, and legal system.

Here at Magalix, CIS Benchmarks have been adopted as a standard. We’ve created CIS Benchmark controls to Magalix Policies so that you can sort, filter, and group by CIS recommendations. You can compare your cloud asset’s security posture with the CIS Benchmark (alongside existing standards) to see where adjustments are necessary. Try our CIS Benchmarks Policy Pack for free to explore this new update.