Out-of the-Box Policies Simplify Container Compliance

Container compliance policies

One of the challenges organizations have in using cloud-native technologies is in figuring out how compliance requirements translate into actionable control points. Most regulations predate containers and serverless technologies and don’t have specific articles governing the use of such technologies.

We recently released Aqua 3.2, where we rolled out key compliance controls pre-configured as out-of-the-box templates in our runtime policy. These templates provide starting points that address specific regulatory requirements, which admins can further tweak as they see fit - but we save them the hassle of starting from scratch.

To achieve this, we mapped specific PCI-DSS, HIPAA, NIST and CIS requirements, translating them into actionable controls in the Aqua Runtime Policy. These compliance control sets are applied globally, across the board, to all containers, clusters, and nodes.

Container runtime policies

The compliance controls and the Aqua Runtime Policy as a whole, are part of Aqua’s defense in depth, which includes additional layers that can also be instrumental in achieving compliance. These include:

  • Image Assurance – Persistent controls to ensure image integrity throughout its lifecycle, and preventing unapproved or unvetted images from running
  • Image Profiles – Provides controls to define authorized image activities. These profiles apply to containers instantiated from a specific image
  • Container Firewall – Limits container communications to defined nano-segments based on application context
  • User Access Control – Fine-grained access control model to enforce access privileges at the container level, from development to production, including custom and predefined roles, such as cluster admin, auditor, developer, etc. 
  • Thin OS Host Controls – Scans hosts for vulnerabilities and malware, monitors logins, and failed logins
  • Extensive Audit Logs – Granular container-level event logs that provide visibility across all environments into container processes and policy violations

Container compliance policies

From requirements to prevention using regulatory controls

Following are some PCI-DSS standard-related controls (partial list) as they are translated into Aqua’s global runtime policy. Note that each template can be used as a starting point for further tweaking of the policy:  

PCI-DSS Requirement Aqua Runtime Policy (Partial list)
Network Controls
1.1.4
Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone

IP Reputation:
Enable detection/prevention of outbound communication from containers to IP addresses with bad reputations

Network Link:
Enable blocking of network connection between containers that are not linked or not running on the same network

1.2
Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment
1.2.1
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic
1.3.4
Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet
Container Monitoring & Control

11.5
Deploy a change-detection mechanism (e.g. file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files, and configure the software to perform at least weekly critical file comparisons

 

2.2
Develop configuration standards for all system components. Ensure that these standards address all known security vulnerabilities, and are consistent with industry-accepted system hardening standards

Drift Prevention:  
Aqua uses a cryptographic digest of the image content across all layers to create a unique digital fingerprint. Images that do not match known fingerprints will be blocked from running, enforcing image integrity and preventing drift

Prevent Override Default Configurations:
This control prevents running containers that override default configuration, e.g. containers that are running without default seccomp profiles

CIS Controls:
Aqua supports CIS benchmarks (Docker and Kubernetes) for host hardening, providing compliance reports per host, and a comprehensive image vulnerability report. In addition, Aqua admin can review CIS compliance status using the Aqua Host CIS reports

Port Scanning Detection:
When this control is enabled, Aqua detects port scanning inside containers

Volumes Blacklist:
Admin can list volumes that cannot be mounted to containers

Container privileges limitation:
Admin can limit containers from running with excess privileges, e.g. access to host network, configured with ‘root’ user

Any violation of the policy automatically generates an alert and is blocked if the policy is in Enforce mode. These controls are out-of-the-box compliance runtime controls specifically developed to help you translate sometimes amorphic, general requirements into specific container controls. And because you define these policies at Aqua, if you plan on switching cloud providers, move from AWS to Azure or Google, or use a different platform, you can do this without the need to redefine your policies.

Download our container compliance guides for
NIST SP-800-190, 
HIPPA and 
PCI-DSS  

NIST container complianceHIPPA container compliance

PCI DSS container compliance

Compliance, Security Policy, serverless, Runtime Security

Related Posts

Subscribe to Email Updates

Filter by Topic

Show more...