Kubernetes Frameworks: NIST vs. CIS

Kubernetes is a container orchestration system used to run various types of workloads, from user-facing web applications to backend processes. Kubernetes environments are diverse, with the ability to host many different kinds of workloads all within one cluster, and they allow container communication by default. However, the many layers of complexity in Kubernetes also present new attack vectors for malicious actors to exploit. 

The NIST Cybersecurity Framework (CSF) and the Center for Internet Security (CIS) Kubernetes Benchmarks provide comprehensive guidance and controls that organizations can implement to mitigate their risk exposure. 

In this article, we’ll explore these two standards, looking at how they differ and complement one another. We’ll see how they’re used for setting high-level goals and guidelines for securely configuring a Kubernetes cluster.

Understanding the NIST CSF

The NIST CSF contains over 900 guidelines for organizations wanting to elevate their security posture. It uses a set of functions that represent high-level cybersecurity outcomes. Lower-level objectives and outcomes fall into categories and subcategories that branch off of these functions.

The framework is also a standard that can be used for auditing, allowing a company to compare its IT security with that of its peers. It enables businesses to assess their cybersecurity risks within the various components of their infrastructure, including Kubernetes clusters.

Core functions and applications related to Kubernetes

The table below outlines the top-level functions of the NIST framework and shows how they can be applied to manage Kubernetes clusters securely. 

Exploring the CIS Benchmarks for Kubernetes

The CIS Benchmarks for Kubernetes act as a companion to the NIST CSF. CIS controls are a set of directly actionable, concrete best practices related to setting up a secure Kubernetes cluster. The benchmarks comprehensively cover all components relevant to the architecture of Kubernetes (such as the control plane, etcd, and worker nodes). In addition, they address governance of the workloads that users place on top of these components (such as RBAC and pod security).

The CIS Benchmarks are a sweeping set of configuration checks. They include everything from file ownership of various components (e.g., 1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root) to manual checks on ensuring that policies and procedures that govern the cluster are properly set (e.g., 3.2.2 Ensure that the audit policy covers key security concerns).

Organizations can use automation to check most of these benchmarks, and the remaining benchmarks can be assessed as part of a manual audit process.

The following are explicit controls that are checked using the CIS Benchmarks:

The CIS Benchmarks have additional general policies and security recommendations that don’t fall into any of these categories, but they are worth noting. Examples include applying security context to your pods and containers (5.7.3) and not using the default namespace for workloads (5.7.4).

Comparing NIST and CIS frameworks

The scope and focus of these two frameworks serve complementary approaches. NIST has a broad focus, extending beyond just Kubernetes clusters, but it can still apply to cluster administration. The CIS Benchmarks give specific guidance on how to operate a Kubernetes cluster and beyond securely, with a measurable set of benchmarks you can use to determine a health score.

The NIST framework lends itself to a more strategic approach, setting up the work that you will take on to improve the security of your clusters. It is well suited for a high-level plan for tackling some organizational cybersecurity goals related to Kubernetes.

CIS Benchmarks are more tactical, giving you individual areas to improve or enforce in discrete chunks. They give you a detailed view of how well (or how poorly) your clusters are configured. They also give you a concrete number you can point to (such as how many benchmarks you pass/fail per cluster). This can roll up to a health metric used for areas of improvement.

When combined, NIST and CIS offer a top-down framework to guide your organization to security excellence, with a bottom-up set of technical benchmarks for accountability as you work on improving the security of each cluster.

Implementing these two frameworks within your organization can be daunting. The CIS document spans over 300 pages, describing each CIS Benchmark in detail. Meanwhile, the NIST framework is a 30-page document with general guidelines that your organization would need to concretize.

Lean on CrowdStrike for Kubernetes security guidance

NIST offers a set of functions, categories, and subcategories that an organization can use to plan how it will meet high-level cybersecurity goals. The NIST framework organizes itself with core functions that boil down to components that are much more specific and concrete to help mitigate organizational risk. The CIS Benchmarks for Kubernetes offer concrete implementation guidance that can fit into these categories; it’s a framework that gives individual pass or fail checks for properly configuring Kubernetes.

CrowdStrike is a proven leader in the cybersecurity space, and the CrowdStrike Falcon® platform helps organizations comply with the NIST and CIS frameworks. It helps organizations implement NIST controls, covering various levels of control families. Additionally, CrowdStrike has partnered with the CIS to build CIS Benchmarks into the Falcon platform, leading to swift setup of the CIS Benchmarks for Kubernetes.

If you’d like to see how the CrowdStrike Falcon platform can make it simple to secure your Kubernetes environments using the NIST and CIS frameworks, read how CrowdStrike can help you prepare for the future of NIST CSF and request a free trial to get started today.