If you handle customer data, chances are you’ve heard of SOC 2. Perhaps you’ve asked vendors for a SOC 2 report, or you have had to undergo an audit yourself.
SOC 2 audit reports focus on a Service Organization's non-financial reporting controls as they relate to the security of a system. Based on the AICPA's Trust Service Criteria, SOC 2 is intended to provide information that users need to assess and address the risks associated with service providers. It helps to ensure customer data is secure and organizations are complying with the latest in cybersecurity standards.
Adopting cloud native technologies like containers and Kubernetes presents new compliance challenges with SOC 2. Because containers are ephemeral (containers can be stopped and destroyed, then rebuilt and replaced with an absolute minimum setup and configuration), it can be difficult to identify if you are compliant in the first place or when a container no longer complies.
Fairwinds Insights is software for monitoring, automating and enforcing Kubernetes best practices. Businesses use the security, compliance, and governance controls of Fairwinds Insights to address the SOC 2 scope specific to containers and Kubernetes. Fairwinds Insights provides multi-cluster visibility and policy enforcement, so you can manage SOC 2 compliance for Kubernetes from CI/CD all the way through to production. This enables you to implement controls early in the development process, not just in production -- so you always know your latest compliance status.
Fairwinds Insights is available to use for free. You can sign up here.
Here are some examples of how Fairwinds Insights can help organizations with SOC 2.
A component of CC 6.1 is focused on standardizing your infrastructure configuration.
With Fairwinds Insights, Kubernetes administrators can run multiple, automated vulnerability scanning tools to detect whether obvious security holes exist, and whether or not the cluster aligns with industry standards - like the CIS Kubernetes Benchmark.
In addition, policy controls can be built into Fairwinds Insights that apply guardrails to cluster configuration. By setting a policy, you can prevent containers from being deployed from untrusted sources. Fairwinds brings over 100+ out of the box checks around Kubernetes best practices, such as identifying containers running as privileged or as root. In addition, the software includes a pre-built library of custom checks to manage compliance and operational risk, such as requiring labels on deployments. This means containers with customer data moving to production won’t fall out of compliance.
Part of CC 6.6 deals with vulnerability scanning of your infrastructure and application containers. Kubernetes is an open source technology, which means many of the packages and containers that run core Kubernetes workloads may introduce known vulnerabilities. Having a process for inspecting these containers to inventory risk becomes a critical part of achieving SOC 2 compliance.
Fairwinds Insights delivers runtime container scanning, as well as integrations in the CI/CD process. Tracking known vulnerabilities in containers is an essential piece of managing SOC 2 compliance, and these two layers enable organizations to easily establish a vulnerability management program to fulfill SOC 2 requirements. Fairwinds Insights goes a step further by prioritizing findings by severity, giving important guidance to developers and compliance teams around where to focus efforts first.
Monitoring for malicious software and changes to infrastructure is a key part of CC 6.8. In the case of Kubernetes, this includes activities like monitoring who has access to the cluster, locking down RBAC and network policies, as well as leveraging deployment policies to prevent containers from running from untrusted sources.
Fairwinds Insights can help solve pieces of CC 6.8 with runtime container scanning and continuous monitoring of RBAC settings. With RBAC specifically, Fairwinds Insights will identify profiles that may be overly permissive, such as those with the ability to view secrets or escalate permissions. In addition, you can prevent containers from running from untrusted sources by maintaining an “allow list” of trusted registries through customizable policies.
Fairwinds Insights can help you implement a number of specific controls for CC 7.1, including areas like configuration auditing and vulnerability management. At its core, Fairwinds Insights provides vulnerability management capabilities for tracking configuration weaknesses and CVEs from a single control plane. The software provides an audit trail into when issues were first/last seen, and whether they have been resolved or mitigated by the service owner.
Open Policy Agent (OPA) policies enable you to define configuration standards so you can prevent misconfigurations from propagating into production. Fairwinds provides several of these policies out-of-the-box, such as denying deployments with privilege escalation enabled. While Fairwinds defaults to sensible best practices, policies can be customized to fit your organizational needs or allowed exceptions.
Like with other control criteria, Fairwinds integrates container vulnerability scanning in the runtime environment and in CI/CD. Additionally, Fairwinds can run other tools that look for configuration and vulnerability-related issues within the cluster itself.
CC 7.2 is focused on continuous monitoring of the system to ensure any anomalous activity or behavior is surfaced up. With Fairwinds Insights, configuration and vulnerability information is monitored continuously in the cluster, and alerts are sent to downstream systems when new findings are discovered.
Findings can be tracked in the software, with audit trail notes and resolutions saved for future referenceability.