Bridging the gap between Security, Compliance and DevOps teams can be a challenging cultural shift to address. DevOps teams are eager to get software out faster and more efficiently, yet security best practices, like policy-as-code, need to be integrated from the outset to streamline the development process in this new cloud-native world.
It has been well-documented that migrating from monolithic applications to microservices can have a significant impact on aligning software systems to organizational communication lines, but breaking applications into discrete, modular containers also means that the industry needs to “rethink” security. Applying policy to stop attacks, prevent lateral movement, and only allow necessary access within modern containerized applications requires a new way of doing security because the concepts and technologies of the entire cloud-native ecosystem are themselves new.
Indeed as enterprises shift to embrace cloud-native, they often find that securing their new containerized applications and achieving compliance can be a cumbersome, and oftentimes, manual effort. Additional layers of technical controls must be applied with careful consideration for all operational details to achieve (and prove!) compliance with internal or external regulations.
Styra DAS compliance packs
Styra created Open Policy Agent (OPA) and Styra Declarative Authorization Service (DAS) to protect modern applications and the infrastructure they run on. With the release of new Styra DAS compliance packs, including MITRE ATT&CK Framework and CIS Kubernetes Benchmarks, DevSecOps teams now have a turnkey solution to secure their containerized workloads, without spending time researching, identifying and implementing baseline policies. These two new packs incorporate best practices from the OPA community, and come in addition to the existing PCI DSS 3.2, Admission Control Best Practices and Kubernetes Pod Security Policies packs built into Styra DAS.
These compliance packs save teams time and resources by standardizing policy rules to meet regulatory requirements. That means you can deploy policy as code quickly and confidently, while providing visibility across DevOps, governance, audit or security teams—regardless of language, implementation style or technical ability.
With Styra DAS Compliance Packs, teams get:
Proven security policies abstracted into plain language and mapped to standards
Detailed logs, audit trail to prove compliance over time
One-click impact analysis to ensure that moving to a compliant state won’t break applications or infrastructure
Continuous monitoring of all decisions to feed a SIEM, SOC, etc
MITRE ATT&CK Matrix for Kubernetes
Styra has mapped a set of OPA-based admission control policies for Kubernetes into a new policy pack, the cyber attack lifecycle described in the MITRE ATT&CK® Matrix for Enterprise covering cloud-based techniques. These policies are organized based on a ten-stage cyber attack lifecycle that describes the techniques that attackers could use to infiltrate, compromise and steal data from within a Kubernetes cluster.
Example policies include:
Restrict images (compromised images in registry)
Reclaim set to retain (defensive evasion)
All Priv/Root policies (privileged container)
Naming/Labeling (pod/container name similarity)
Ingress (initial access)
Egress (lateral movement/Impact)
CIS Benchmarks for K8s
The CIS Benchmark for Kubernetes provides security recommendations for Kubernertes control plane configuration. These recommendations include best practices such as cluster hardening, network management, permissions control and more.
For teams that use CIS Benchmarks to help drive security efforts and minimize risk of unforeseen configuration errors that could lead to exploits or breach, Styra DAS now provides a collection of policies that address various CIS recommendations.
Example policies include:
Ensure that no container in any pod can enable privileged mode
Ensure pods may not use the node network namespace
Explicitly restrict the ranges of allowable ports in the host network namespace
Prohibit a container to create a child process with more privileges than its parent
Ensure Pods drop all the linux capabilities that are not required
Ensure that a container cannot be started in the Kubernetes ‘default’ namespace
Why Policy Packs for OPA?
Styra DAS builds upon the success of OPA with new packs of policies that are abstracted into plain language and mapped to meaningful security standards. This means governance, security and DevOps teams have the rules, results and audit trail to build security into their Kubernetes clusters, and prove compliance over time. These packs are just the latest implementations of proven policies that come from the OPA community, and should help regulated industries extend security best practices to the new cloud-native world.