- How does Prisma Cloud implement the Kubernetes CIS Benchmark to secure Kubernetes environments?
- What are the benefits of using Prisma Cloud for vulnerability management and compliance in Kubernetes deployments?
- How does Prisma Cloud prioritize security alerts and guide remediation efforts to ensure Kubernetes compliance?
Shifting Left to Secure Your Kubernetes Environment
Kubernetes CIS Benchmark and Prisma Cloud Validating Checks
The first question most cloud-native customers ask is what can I do to reduce risk in my cloud estate?
CIS Benchmarks provide consensus-oriented best practices for securely configuring systems. Prisma Cloud provides checks that validate the recommendations in the Kubernetes CIS Benchmark.
Let’s dive in.
Detect and Fix Vulnerabilities in Your Kubernetes Environment
Prisma Cloud by Palo Alto Networks by default scans images every 24 hours. Each Kubernetes CIS Benchmark issue that Prisma Cloud finds is graded with a score: critical, high, medium and low. The Prisma Cloud score lets you create Kubernetes compliance rules that take action depending on the severity of the possible outcomes. To be reasonably certain that your Kubernetes environment is secure, you should address all the critical and high-severity checks Prisma Cloud surfaces for review.
To help protect your Kubernetes environment, Prisma Cloud will alert on all critical and high-severity checks by default. But don’t worry about being overwhelmed with security alerts, as only a handful of checks are graded as critical or high severity. What’s more, Prisma Cloud further prioritizes those potential threats for you. If your Kubernetes environment is exposed to the internet, for example, Prisma Cloud will alert you and prioritize security fixes to keep the environment secure and compliant with the Kubernetes CIS Benchmark.
Continuous Image Scanning to Ensure Secure Kubernetes Deployments
Prisma Cloud scans images early in the build and deployment phases of the application lifecycle and uses built-in Kubernetes CIS Benchmark validations through compliance checks. A finding that generates a compliance alert, like “Image should be created with a non-root user” for instance, can be remediated in the image build process. Prisma Cloud can even be configured to stop the build process by requiring the developer to remediate noncompliant images to continue.
So, to follow our root-user example, whenever a developer attempts to build an image that doesn’t define a non-root user account, the build process will be stopped to protect your Kubernetes environment according to Kubernetes CIS Benchmark (and NSA/CISA) standards.
Secure and Complaint Container Images Across the Entire Lifecycle
A challenge when scanning container registries is the wide variety of registries available. Some Kubernetes platforms, like Red Hat OpenShift (RHOS) and managed Kubernetes services in the cloud, include their own built-in registries. Other platforms have the flexibility to select from a variety of third-party registries. This diversity of registry choices and configurations highlights the need for a container image scanning tool like Prisma Cloud that seamlessly integrates with any registry type. Prisma Cloud offers security agility, providing you with a single, unified image scanning solution regardless of your Kubernetes cluster setup.
With Prisma Cloud repository and image scanning you get detection and prevention of vulnerabilities throughout the entire application lifecycle, while also prioritizing identified risks. Embed vulnerability management within any continuous integration (CI) process to ensure continuous monitoring, detection and mitigation of risks to hosts, images and functions. The Prisma Cloud security platform integrates our vulnerability detection with globally sourced threat intelligence and real-time environment data from your deployments, helping to focus on the most critical risks in your Kubernetes environment and keep you compliant with the Kubernetes CIS Benchmark.
Multicloud Kubernetes Compliance and Container Security
Prisma Cloud offers comprehensive visibility and full lifecycle security across cloud service providers (CSPs) and platforms, including securing many different Kubernetes environments:
- Amazon Elastic Kubernetes Service (Amazon EKS)
- Google Kubernetes Engine (GKE)
- Azure Kubernetes Service (AKS)
- Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE)
- Alibaba Cloud Container Service for Kubernetes (ACK)
- Red Hat OpenShift (RHOS) container platform
Meet Your Kubernetes CIS Benchmark Goals with Prisma Cloud
Prisma Cloud by Palo Alto Networks is a Code to CloudTM platform that simplifies the adoption and validation of cloud security best practices outlined by Kubernetes CIS Benchmarks.
With Prisma Cloud, you’ll benefit from hundreds of built-in, customizable security policies covering configurations, communications and more to ensure you’re always compliant, regardless of which version of Kubernetes you run.
Learn More
Get the ultimate guide to containers and Kubernetes, an essential resource for understanding, implementing and mastering security in a containerized environment. The Definitive Guide to Container Security.
And if you'd like to see how Prisma Cloud can address your Kubernetes CIS Benchmark goals, consider booking a personalized demo.