Out-of the-Box Policies Simplify Container Compliance
One of the challenges organizations have in using cloud-native technologies is in figuring out how compliance requirements translate into actionable control points. Most regulations predate containers and serverless technologies and don’t have specific articles governing the use of such technologies.
We recently released Aqua 3.2, where we rolled out key compliance controls pre-configured as out-of-the-box templates in our runtime policy. These templates provide starting points that address specific regulatory requirements, which admins can further tweak as they see fit - but we save them the hassle of starting from scratch.
To achieve this, we mapped specific PCI-DSS, HIPAA, NIST and CIS requirements, translating them into actionable controls in the Aqua Runtime Policy. These compliance control sets are applied globally, across the board, to all containers, clusters, and nodes.
The compliance controls and the Aqua Runtime Policy as a whole, are part of Aqua’s defense in depth, which includes additional layers that can also be instrumental in achieving compliance. These include:
- Image Assurance – Persistent controls to ensure image integrity throughout its lifecycle, and preventing unapproved or unvetted images from running
- Image Profiles – Provides controls to define authorized image activities. These profiles apply to containers instantiated from a specific image
- Container Firewall – Limits container communications to defined nano-segments based on application context
- User Access Control – Fine-grained access control model to enforce access privileges at the container level, from development to production, including custom and predefined roles, such as cluster admin, auditor, developer, etc.
- Thin OS Host Controls – Scans hosts for vulnerabilities and malware, monitors logins, and failed logins
- Extensive Audit Logs – Granular container-level event logs that provide visibility across all environments into container processes and policy violations
From requirements to prevention using regulatory controls
Following are some PCI-DSS standard-related controls (partial list) as they are translated into Aqua’s global runtime policy. Note that each template can be used as a starting point for further tweaking of the policy:
|PCI-DSS Requirement||Aqua Runtime Policy (Partial list)|
Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone
Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic
Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet
|Container Monitoring & Control|
Prevent Override Default Configurations:
Container privileges limitation:
Any violation of the policy automatically generates an alert and is blocked if the policy is in Enforce mode. These controls are out-of-the-box compliance runtime controls specifically developed to help you translate sometimes amorphic, general requirements into specific container controls. And because you define these policies at Aqua, if you plan on switching cloud providers, move from AWS to Azure or Google, or use a different platform, you can do this without the need to redefine your policies.
Download our container compliance guides for
NIST SP-800-190, HIPPA and PCI-DSS