Aqua Blog

Out-of the-Box Policies Simplify Container Compliance

Rani Osnat
August 9, 2018

One of the challenges organizations have in using cloud native technologies is in figuring out how compliance requirements translate into actionable control points. Most regulations predate containers and serverless technologies and don’t have specific articles governing the use of such technologies.

We recently released Aqua 3.2, where we rolled out key compliance controls pre-configured as out-of-the-box templates in our runtime policy. These templates provide starting points that address specific regulatory requirements, which admins can further tweak as they see fit – but we save them the hassle of starting from scratch.

To achieve this, we mapped specific PCI-DSS, HIPAA, NIST and CIS requirements, translating them into actionable controls in the Aqua Runtime Policy. These compliance control sets are applied globally, across the board, to all containers, clusters, and nodes.

Container runtime policies

The compliance controls and the Aqua Runtime Policy as a whole, are part of Aqua’s defense in depth, which includes additional layers that can also be instrumental in achieving compliance. These include:

  • Image Assurance – Persistent controls to ensure image integrity throughout its lifecycle, and preventing unapproved or unvetted images from running
  • Image Profiles – Provides controls to define authorized image activities. These profiles apply to containers instantiated from a specific image
  • Container Firewall – Limits container communications to defined nano-segments based on application context
  • User Access Control – Fine-grained access control model to enforce access privileges at the container level, from development to production, including custom and predefined roles, such as cluster admin, auditor, developer, etc.
  • Thin OS Host Controls – Scans hosts for vulnerabilities and malware, monitors logins, and failed logins
  • Extensive Audit Logs – Granular container-level event logs that provide visibility across all environments into container processes and policy violations

Container compliance policies

From requirements to prevention using regulatory controls

Following are some PCI-DSS standardrelated controls (partial list) as they are translated into Aqua’s global runtime policy. Note that each template can be used as a starting point for further tweaking of the policy:  

PCI-DSS Requirement Aqua Runtime Policy (Partial list)
Network Controls
1.1.4
Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone		 IP Reputation:
Enable detection/prevention of outbound communication from containers to IP addresses with bad reputations

Network Link:
Enable blocking of network connection between containers that are not linked or not running on the same network
1.2
Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment
1.2.1
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic
1.3.4
Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet
Container Monitoring & Control
11.5
Deploy a change-detection mechanism (e.g. file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files, and configure the software to perform at least weekly critical file comparisons 2.2
Develop configuration standards for all system components. Ensure that these standards address all known security vulnerabilities, and are consistent with industry-accepted system hardening standards		 Drift Prevention:
Aqua uses a cryptographic digest of the image content across all layers to create a unique digital fingerprint. Images that do not match known fingerprints will be blocked from running, enforcing image integrity and preventing drift

Prevent Override Default Configurations:
This control prevents running containers that override default configuration, e.g. containers that are running without default seccomp profiles

CIS Controls:
Aqua supports CIS benchmarks (Docker and Kubernetes) for host hardening, providing compliance reports per host, and a comprehensive image vulnerability report. In addition, Aqua admin can review CIS compliance status using the Aqua Host CIS reports

Port Scanning Detection:
When this control is enabled, Aqua detects port scanning inside containers

Volumes Blacklist:
Admin can list volumes that cannot be mounted to containers

Container privileges limitation:
Admin can limit containers from running with excess privileges, e.g. access to host network, configured with ‘root’ user

Any violation of the policy automatically generates an alert and is blocked if the policy is in Enforce mode. These controls are out-of-the-box compliance runtime controls specifically developed to help you translate sometimes amorphic, general requirements into specific container controls. And because you define these policies at Aqua, if you plan on switching cloud providers, move from AWS to Azure or Google, or use a different platform, you can do this without the need to redefine your policies.

Download our container compliance guides for
NIST SP-800-190, HIPPA and PCI-DSS  

NIST container compliance

 

 HIPPA container compliance PCI DSS container compliance

 

 

Published under: Uncategorized

Tags: , , ,

Rani Osnat
Rani is the SVP of Strategy at Aqua. Rani has worked in enterprise software companies more than 25 years, spanning project management, product management and marketing, including a decade as VP of marketing for innovative startups in the cyber-security and cloud arenas. Previously Rani was also a management consultant in the London office of Booz & Co. He holds an MBA from INSEAD in Fontainebleau, France. Rani is an avid wine geek, and a slightly less avid painter and electronic music composer.
Need to secure enterprise workloads?
Aqua Cloud Native Application Protection Platform (CNAPP)
Go cloud native with the experts!
Get Demo
Aqua Security stops cloud native attacks across the application lifecycle and is the only company with a $1M Cloud Native Protection Warranty to guarantee it. As the pioneer in cloud native security, Aqua helps customers reduce risk while building the future of their businesses. The Aqua Platform is the industry's most integrated Cloud Native Application Protection Platform (CNAPP), protecting the application lifecycle from code to cloud and back. Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL with Fortune 1000 customers in over 40 countries.
Read Aqua Security reviews on G2

Use Cases

Environments

Partners

Resources

About Us

Get in Touch

Products

Get Started
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use | Cookie Settings |  
Accessibility Tools
Normal text size Medium text size Large text size
Normal display Black & White display High contrast display
Stop transitions and animations Underline Links