NIST Cybersecurity Framework and Kubernetes

Customers trust Lifion, by ADP with some of their most important data and they rely on us to preserve its security and privacy following the highest industry standards. In this article we talk about some ways we bridge the strategy and tactical implementation of NIST Cybersecurity Framework in Kubernetes.

The NIST Cybersecurity Framework (NCF) provides a framework for companies with guidelines and practices on managing cybersecurity risks and protecting organizations. Following this framework is required for essential services, critical infrastructure, and government agencies to adopt.

Many private organizations have adopted NCF in recent years, but many still do not have adequate cybersecurity controls. The framework is not one size fits all but is up to every organization to understand their crown jewels and manage their risks.

Gartner predicted that in 2020 that 50% of the U.S organizations will use the NIST Cybersecurity framework.

https://www.nist.gov/industry-impacts/cybersecurity-framework

Companies want to adopt a good security posture. Still, they often get overwhelmed with the number of controls and often do not know where to start.

This is where the Cybersecurity Framework helps companies organize a plan of action. There are five main components to follow:

1. Identify: In this step, organizations identify their more important assets or crown jewels. E.g. data lakes, databases, blob storage, proprietary code, etc.
2. Protect: This is where organizations invest resources to protect the assets identified in the prior step. E.g. data loss prevention tools, antivirus, vulnerability management tools, code scanning tools, firewalls, etc.
3. Detect: This component allows organizations to alert and identify a breach in the controls in place. E.g. operational dashboards, alerts, abnormally behavior detection tools, etc.
4. Respond: Building an incident response plan when a breach occurs is critical not only for engineers but also for the C-Suite and board of directors.
5. Recover: This component is responsible for creating a business continuity plan (BCP)

This framework fits well within cloud-native organizations. The Cloud Native Computing Foundation (CNCF) defines cloud-native as:

Cloud native allows IT and software to move faster. Adopting cloud native technologies and practices enables companies to create software in-house and allows business people to closely partner with IT people, keep up with competitors and deliver better services to their customers.

When the framework is in place, it should not follow a linear approach as the threat landscape is always changing. Instead of a linear approach, the framework should follow a continuous improvement approach. If not, the risks of not having proper controls could be catastrophic to the organization.

https://www.nist.gov/cyberframework

Now that we understand the theory lets see how we can apply some of the Cybersecurity Framework categories to Kubernetes. The NCF offer over 180 controls that can be applied to organizations.

IDENTIFY

• ID.AM-2 Software platforms and applications within the organization are inventoried.
  An organization has a configuration management database (CMDB) to help keep track of all the Kubernetes clusters and applications running on top of these clusters.
• ID.GV-1 Organizational cybersecurity policy is established and communicated.
  Policies include a least privilege approach for human and machine access to the data. A good policy includes a data classification to understand where and who can access personally identifiable information (PII) and (SPI).
• ID.RA-1 Asset vulnerabilities are identified and documented.
  Every application deployed has vulnerabilities; having this document is critical for the business to decide if it is willing to accept the risk and plan to remediate. This includes items such as:
  - Are Kubernetes namespaces utilized for application segregation?
  - Is mutual TLS (mTLS) enabled for application to application communication?
  - Are TCP/IP network rules enabled to block or allow traffic among apps? E.g., only allowing communication from app A to app B on port TCP port 443
• ID.SC-1 Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders.
  This has been an important control on Cybersecurity for quite a long time, but now it may be more important than ever after SolarWind's cyberattack was discovered in December 2020.
  Understanding what third-party vendors and software libraries are used in a platform ecosystem is important because this could open backdoors to the ecosystem and compromise security.

PROTECT

• PR.AC-1 Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes.
  Rotating application credentials monthly or even daily is easier than ever in Kubernetes. With Kubernetes, using service accounts allows following the least privileged approach where an application only has access to the resources that it needs.
• PR.AT-1 All users are informed and trained
  This could be the most important category in the NIST Cybersecurity Framework. Errors and misconfiguration remains high in the list of data security breaches. The 2020 Verizon Data Breach and Investigation report categorizes misconfiguration and human error as more common than malware.
• PR.DS-1 Data-at-rest is protected
  This is one of the easiest controls to implement. Kubernetes offers encryption of data at rest by using a KMS provider.

DETECT

• DE.AE-5 Incident alert thresholds are established.
  Kubernetes is great at capturing logs and events from the Kubernetes platform and the applications. However, it does not offer alerting and behavior anomaly analysis out of the box. Third-party products are needed to detect anomalies in the Kubernetes ecosystem, such as Prisma Cloud, StackRox, and Sysdig.
• DE.CM-8 Vulnerability scans are performed.
  There should be a layered approach that can be achieved with the tools mentioned above. The vulnerability scans should be performed at 5 different levels.
  - Host level: Kubernetes infrastructure such as worker nodes, ETCD, master nodes running on top of Linux and or Windows servers should be scanned and patched.
  - Kubernetes infrastructure: The cluster must run the latest supported version and follow security bulletins to make sure any vulnerabilities are being mitigated.
  - Docker images: Scanning docker images should be part of an organization’s Cybersecurity Framework.
  - Running images: scanning running images is a critical component because it is important to be aware of any new process or actor that may be changing the way an application was supposed to behave.
  - Code scanning: Several scanning tools can help with this. Making sure there are no vulnerabilities or bad coding practices is critical. Tools such as SonarQube or Snyk can help find code vulnerabilities.

RESPOND

• RS.AN-1 Notifications from detection systems are investigated
  Having systems that detect and alert are not sufficient, and based on experience, this category takes time to master. Ensuring a Security Operations Center (SOC) look into real alerts is key; the challenge is to eliminate all the noise from alerts. Automation should be a first-class citizen to ensure proper actionable alerts are getting to the SOC.
• RS.IM-2 Response strategies are updated
  This category needs discipline by all teams in the organization. Good processes and frameworks are key with documentation up to date. As technology changes rapidly, a Cybersecurity strategy should be updated at the same time. It is important to avoid relying on an out-of-date response strategy that does not apply to the organization anymore. I recommend reviewing response strategies once a quarter.

RECOVERY

• RC.RP-1 Recovery plan is executed during or after a cybersecurity incident
  Knowing what to do when Cybersecurity happens is important not only for engineers but also for senior leadership. Running tabletop exercises at least once a quarter is important to build muscle memory.

CONCLUSION

In conclusion, there are many areas in how an organization can improve Cybersecurity. It is highly beneficial to make early investments in identify, protect, and detect categories and less expensive to invest in these areas than fixing security after a breach. Without this, there is risk of not only financial but also reputational damage.

Finally, it’s critical to remember that security is everybody responsibility or as we say at Lifion, “Lifionites keep Lifion secure”.