As the pace of digital transformation accelerates, many organizations are adopting Kubernetes for managing their containerized workloads. While Kubernetes brings scalability and reliability, it also introduces new challenges in security and compliance. One essential standard SaaS companies, cloud services, and all organizations dealing with sensitive information must adhere to is SOC 2. The American Institute of Certified Public Accountants (AICPA) developed the voluntary compliance standard Service Organization Control 2 (SOC 2) for service organizations, which specifies how organizations should manage customer data. SOC 2 requires companies to establish and follow strict information security policies and procedures to ensure that service providers securely manage data to protect the interests and privacy of their clients.
SOC 2 certification includes two types: Type I and Type II. Type I evaluates the design of a company's control environment at a point in time, while Type II examines the operating effectiveness of those controls over a period of time. SOC 2 reports focus on five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. By complying with these common criteria, organizations are able to show that they have robust internal controls in place to handle and protect client data. One of the key outputs of a SOC audit is the SOC report.
In addition to SOC 2 reports, there are other types of SOC. SOC 1 and SOC 2 are two different compliance standards, while SOC 3 is a public-facing summary of the SOC 2 report. SOC 1 is an audit that focuses on controls at a service organization that may impact a user entity’s internal control over financial reporting (ICFR). The SOC 1 report is performed under the SSAE 18 (Statement on Standards for Attestation Engagements), which was also developed by AICPA. This report is relevant primarily for organizations that provide services that could impact their customers' financial statements, such as payroll processors or financial services companies. These reports offer transparency into an organization's security posture, providing customers, partners, and stakeholders with confidence that their data is in safe hands.
Cloud-native technologies, such as Kubernetes, Docker, and serverless computing platforms, revolutionized how organizations build and deploy applications. However, they also present unique challenges related to achieving and maintaining SOC 2 compliance (the NSA’s Kubernetes Hardening Guide provides a comprehensive set of best practices for securing Kubernetes environments).
Visibility and Monitoring: In cloud-native environments, applications are often distributed across many containers and services, sometimes spread across different regions or cloud providers. Gaining a comprehensive view of the environment, monitoring all activity effectively, and detecting security threats or irregularities quickly can be challenging in this environment.
Configuration Management: Cloud-native technologies come with many configuration options. This provides a lot of flexibility, but also introduces risk. Misconfigurations can lead to security vulnerabilities, therefore it’s critical to have configuration management processes in place.
Access Control: The dynamic nature of cloud-native technologies can complicate access control. For example, containers are created and destroyed as needed — and managing who has access to what, when, and in what context, can be difficult.
Security Updates and Patch Management: Staying up to date with security updates can be more difficult with cloud-native technologies, particularly when there are multiple different containers and services, each with a unique set of dependencies and vulnerabilities.
Data Security and Privacy: Ensuring that sensitive data is properly protected at all stages of its lifecycle is a critical aspect of SOC 2 compliance. However, implementing effective data security controls can be more complex in a cloud-native environment due data fragmentation, use of third-party tools or SaaS solutions, and the ephemeral nature of containers.
Incident Response: The dynamic and distributed nature of cloud-native environments can make it more difficult to identify the cause of security incidents and coordinate an effective response.
Overcoming these challenges requires a strong culture of security and compliance, including ongoing training to ensure all members of the organization understand their responsibilities in maintaining compliance. In Kubernetes, it requires hardening of the environment and adopting policies, tools, and practices to increase the security, reliability, and availability of Kubernetes.
Kubernetes is not secure by default, but organizations can comply with SOC 2 by focusing on a few things:
Security: Use Role-Based Access Control (RBAC), network policies, and secrets management to secure access to the container environment, an essential aspect of the Security criterion in SOC 2. Security controls and access controls help prevent unauthorized access.
Availability: Kubernetes’ self-healing features (such as auto-restart, replication, and auto-scaling) can help fulfill the Availability criterion of SOC 2 by ensuring that the services are reliably up and running.
Processing Integrity: Logging and monitoring capabilities within Kubernetes can help organizations meet the Processing Integrity criterion of SOC 2.
While you can configure Kubernetes to support SOC 2 compliance, using Kubernetes does not automatically make a system SOC 2 compliant. Organizations must implement proper security controls and procedures and use Kubernetes in alignment with the SOC 2 guidelines. Achieving and maintaining SOC 2 compliance requires regular audits as well. From our experience at Fairwinds, we’ve noticed many organizations aren’t sure what controls they need to implement from a Kubernetes perspective to meet SOC 2 criteria.
SOC 2 audit reports focus on a Service Organization's non-financial reporting controls as they relate to the security of a system. Based on the AICPA's Trust Service Criteria (TSC), SOC 2 is intended to provide information that users need to assess and address the risks associated with service providers. It helps to ensure customer data is secure and organizations are complying with the latest in cybersecurity standards.
Having a SOC 2 certification and adhering to its standards:
Demonstrates to clients and stakeholders that your organization has robust controls in place to protect data, building trust.
Helps organizations identify and address potential vulnerabilities, reducing the risk of data breaches and other security incidents.
Offers organizations a competitive edge, particularly in industries where data security is a critical concern.
Helps demonstrate compliance with other regulations that include data security and data privacy requirements, such as GDPR, HIPAA, and PCI DSS.
Ensures your organization is doing everything it can to protect the data it holds, which can prevent potentially catastrophic incidents that could damage your organization's reputation and bottom line.
SOC 2 compliance also may be required to do business with certain industries and verticals. Some businesses may require their vendors or partners to have SOC 2 certification to ensure that the data they share with you is secured according to recognized standards.
A SOC 2 audit report should contain the following sections:
Opinion Letter (Independent Service Auditor’s Report): The auditor presents their opinion on the effectiveness of the controls in place. This part can be either unqualified (clean), qualified (certain exceptions noted), adverse (system is not presented fairly and/or controls are not suitably designed and/or operating effectively), or a disclaimer of opinion (auditor is not able to give an opinion).
Management’s Assertion: A written statement from the management of the service organization confirming that they have met the requirements for a SOC 2 report, including an overview of the services provided, the assertion of management about the fairness of the presentation of the system, the suitability of the design of the controls to meet the applicable trust services criteria, and in a type 2 report, the operational effectiveness of those controls.
Description of Systems: An overview of the services provided by the service organization, including details of how the organization's system is designed and how it operates. It covers the types of data processed, the people involved in the operation, procedures for handling data, and any subservice organizations involved.
Control Activities and Testing (For Type II reports): Outlines the testing strategies used by the auditor to assess the effectiveness of controls over a specified period, including details on the tests performed, the auditor's understanding of the control design, and the results of the testing.
Detailed Results: Information about any deviations found during testing or any areas where the controls were not operating effectively.
Additional Information (Optional): Other information as needed, such as details of the organization's risk management process, control environment, control objectives, governance structure, and control processes.
Fairwinds Insights is software for monitoring, automating, and enforcing Kubernetes best practices. Businesses use the security, compliance, and governance controls of Fairwinds Insights to address the SOC 2 scope specific to containers and Kubernetes. Fairwinds Insights provides multi-cluster visibility and policy enforcement, so you can manage SOC 2 compliance for Kubernetes from CI/CD all the way through to production. This enables you to implement controls early in the development process, not just in production, so you always know your latest compliance status.
Fairwinds Insights is available to use for free! The free tier is available for environments up to 20 nodes, two clusters, and one repo. This is great for companies looking to test-drive the product. However, most organizations upgrade to the Team Tier to ensure they can get SOC 2 coverage across all of their clusters. The Team Tier is also great if your organization has a single product running on Kubernetes. The Team Tier starts at 20 nodes with unlimited clusters and repos. The Premium Enterprise is ideal for enterprises managing multiple clusters and critical applications and need additional Technical Support to onboard multiple teams. You can sign up here.
Below are some examples of how Insights maps to SOC 2 criteria. Additional mappings and automated evidence collection can be found in the product. You can sign up here for free.
A component of CC 6.1 is focused on standardizing your infrastructure configuration.
With Fairwinds Insights, Kubernetes administrators can run multiple, automated vulnerability scanning tools to detect whether obvious security holes exist, and whether or not the cluster aligns with industry standards — like the CIS Kubernetes Benchmark.
In addition, policy controls can be built into Fairwinds Insights that apply guardrails to cluster configuration. By setting a policy, you can prevent containers from being deployed from untrusted sources. Fairwinds brings over 100+ out of the box checks around Kubernetes best practices, such as identifying containers running as privileged or as root. In addition, the software provides functionality for monitoring risky role-based access control (RBAC) profiles. With policy enforcement, you can prevent containers from moving to production that are out of compliance.
Part of CC 6.6 deals with vulnerability scanning of your infrastructure and application containers. Kubernetes is an open source technology, which means many of the packages and containers that run core Kubernetes workloads may introduce known vulnerabilities. Having a process for inspecting these containers to inventory risk becomes a critical part of achieving SOC 2 compliance.
Fairwinds Insights delivers runtime container scanning, as well as integrations in the CI/CD process. Tracking known vulnerabilities in containers is an essential piece of managing SOC 2 compliance, and these two layers enable organizations to easily establish a vulnerability management program to fulfill SOC 2 requirements. Fairwinds Insights goes a step further by automating evidence collection for use of runtime and container scanning tools, saving compliance teams time.
Monitoring for malicious software and changes to infrastructure is a key part of CC 6.8. In the case of Kubernetes, this includes activities like monitoring who has access to the cluster, locking down RBAC and network policies, as well as leveraging deployment policies to prevent containers from running from untrusted sources.
Fairwinds Insights can help solve pieces of CC 6.8 with runtime container scanning and policy enforcement functionality. For example, with Fairwinds Insights’ CI/CD integration and validating admission controller, you can prevent containers from running from untrusted sources by maintaining an “allow list” of trusted registries through customizable policies.
Fairwinds Insights can help you implement several specific controls for CC 7.1, including areas like configuration auditing and vulnerability management. At its core, Fairwinds Insights provides vulnerability management capabilities for tracking configuration weaknesses and vulnerabilities from a single interface. The software provides an audit trail into when issues were first/last seen, and whether they have been resolved or mitigated by the service owner.
Open Policy Agent (OPA) policies enable you to define configuration standards so you can prevent misconfigurations from propagating into production. Fairwinds provides several of these policies out-of-the-box, such as denying deployments with privilege escalation enabled. While Fairwinds defaults to sensible best practices, policies can be customized to fit your organizational needs or allowed exceptions.
Like with other control criteria, Fairwinds integrates infrastructure-as-code and container vulnerability scanning in the runtime environment and in CI/CD. When customers use these tools, Fairwinds Insights can use the findings to automate evidence collection for a number of CC 7.1 criteria, such as Pod Security misconfigurations.
CC 7.2 is focused on continuous monitoring of the system to ensure any anomalous activity or behavior is surfaced up. With Fairwinds Insights, configuration and vulnerability information is monitored continuously in the cluster, and alerts are sent to downstream systems when new findings are discovered.
Findings can be tracked in the software, with audit trail notes and resolutions saved for future referenceability.
Data breaches are, unfortunately, a common threat. They can lead to the exposure of personally identifiable information (PII), result in a significant security incident, and damage both your bottom line and reputation. SOC 2 certification provides a framework for implementing control activities that help to mitigate these risks, forcing businesses to examine and continually improve their security practices, leading to a more robust control environment and a lower likelihood of experiencing a damaging data breach.
As Kubernetes is often used by SaaS companies to deliver cloud services and applications, SOC 2 attestation becomes essential to meet wide-ranging compliance requirements. Sensitive information, including PII, financial data, or health records, are subject to numerous regulations, and SOC 2 can help organizations demonstrate their commitment to meeting these standards.
While the journey to SOC 2 attestation can be complex and demanding, it's an invaluable step in demonstrating your commitment to data security. By undertaking the rigorous process of certification and remediation, you can ensure your Kubernetes environments meet the highest security standards and compliance requirements. Fairwinds Insights can help you automate policy enforcement in Kubernetes to align with the American Institute of CPAs’ guidance to follow the core trust services principles.
Learn more about how Fairwinds can help you achieve SOC 2 compliance for Kubernetes and containers.
Originally published on January 28, 2021 and updated to reflect new information.