Master CNAPPs for Superior Cloud Security

Unlock the full potential of CNAPPs. Discover top considerations and a roadmap to strengthen your cloud defenses.

Download the Guide Now

Master CNAPPs for Superior Cloud Security

Unlock the full potential of CNAPPs. Discover top considerations and a roadmap to strengthen your cloud defenses.

Download the Guide Now

Kubernetes Frameworks: NIST vs. CIS

Kubernetes is a container orchestration system used to run various types of workloads, from user-facing web applications to backend processes. Kubernetes environments are diverse, with the ability to host many different kinds of workloads all within one cluster, and they allow container communication by default. However, the many layers of complexity in Kubernetes also present new attack vectors for malicious actors to exploit. 

The NIST Cybersecurity Framework (CSF) and the Center for Internet Security (CIS) Kubernetes Benchmarks provide comprehensive guidance and controls that organizations can implement to mitigate their risk exposure. 

In this article, we’ll explore these two standards, looking at how they differ and complement one another. We’ll see how they’re used for setting high-level goals and guidelines for securely configuring a Kubernetes cluster.

Understanding the NIST CSF

The NIST CSF contains over 900 guidelines for organizations wanting to elevate their security posture. It uses a set of functions that represent high-level cybersecurity outcomes. Lower-level objectives and outcomes fall into categories and subcategories that branch off of these functions.

The framework is also a standard that can be used for auditing, allowing a company to compare its IT security with that of its peers. It enables businesses to assess their cybersecurity risks within the various components of their infrastructure, including Kubernetes clusters.

Core functions and applications related to Kubernetes

The table below outlines the top-level functions of the NIST framework and shows how they can be applied to manage Kubernetes clusters securely. 

 

Function

Definition of Function

Application to Kubernetes

Govern

The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.

Establish governance policies for cluster and resource management as well as compliance.

Identify

The organization’s current cybersecurity risks are understood.

Identify all Kubernetes resources, dependencies, and potential vulnerabilities.

Protect

Safeguards to manage the organization’s cybersecurity risks are used.

Implement network segmentation, role-based access control (RBAC), and secure configurations for Kubernetes components.

Detect

Possible cybersecurity attacks and compromises are found and analyzed.

Use observability tools to detect abnormal activities in the cluster.

Respond

Actions regarding a detected cybersecurity incident are taken.

Create and implement incident response plans specific to Kubernetes.

Recover

Assets and operations affected by a cybersecurity incident are restored.

Develop and test backup and recovery procedures for Kubernetes clusters.

cnapp-guide-temp

The Complete Guide to CNAPPs

Download CrowdStrike's Complete Guide to CNAPPs to understand why Cloud-Native Application Protection Platforms are a critical component of modern cloud security strategies and how to best integrate them to development lifecycles.

Download Now

Exploring the CIS Benchmarks for Kubernetes

The CIS Benchmarks for Kubernetes act as a companion to the NIST CSF. CIS controls are a set of directly actionable, concrete best practices related to setting up a secure Kubernetes cluster. The benchmarks comprehensively cover all components relevant to the architecture of Kubernetes (such as the control plane, etcd, and worker nodes). In addition, they address governance of the workloads that users place on top of these components (such as RBAC and pod security).

The CIS Benchmarks are a sweeping set of configuration checks. They include everything from file ownership of various components (e.g., 1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root) to manual checks on ensuring that policies and procedures that govern the cluster are properly set (e.g., 3.2.2 Ensure that the audit policy covers key security concerns).

Organizations can use automation to check most of these benchmarks, and the remaining benchmarks can be assessed as part of a manual audit process.

The following are explicit controls that are checked using the CIS Benchmarks:

 

Target Area

Benchmark Categories

Control plane components

  • Configuration files: Secure settings for API server, etcd, controller manager, and scheduler.

  • API server: Secure configuration settings.

  • Controller manager: Proper security settings.

  • Scheduler: Security configurations.

  • etcd: Secure configuration for etcd components.

Control plane configuration

  • Authentication and authorization: Best practices for securing access.

  • Logging: Proper logging practices and configurations.

Worker nodes

  • Configuration files: Secure file settings.

  • Kubelet: Security settings for kubelet.

  • kube-proxy: Secure configurations.

Policies

  • RBAC and service accounts: Role-based access control settings.

  • Pod security standards: Best practices for pod security.

  • Network policies and CNI: Configuring network policies.

  • Secrets management: Best practices for handling secrets.

  • Extensible admission control: Using admission controllers.

The CIS Benchmarks have additional general policies and security recommendations that don’t fall into any of these categories, but they are worth noting. Examples include applying security context to your pods and containers (5.7.3) and not using the default namespace for workloads (5.7.4).

 

24-CLD-042_Add-Porter-Airlines-Customer-Story_2560x1350_option-3

Customer Story: Porter Airlines

Read this customer story and learn how Porter Airlines consolidates its cloud, identity and endpoint security with CrowdStrike.

Download Now

Comparing NIST and CIS frameworks

The scope and focus of these two frameworks serve complementary approaches. NIST has a broad focus, extending beyond just Kubernetes clusters, but it can still apply to cluster administration. The CIS Benchmarks give specific guidance on how to operate a Kubernetes cluster and beyond securely, with a measurable set of benchmarks you can use to determine a health score.

The NIST framework lends itself to a more strategic approach, setting up the work that you will take on to improve the security of your clusters. It is well suited for a high-level plan for tackling some organizational cybersecurity goals related to Kubernetes.

CIS Benchmarks are more tactical, giving you individual areas to improve or enforce in discrete chunks. They give you a detailed view of how well (or how poorly) your clusters are configured. They also give you a concrete number you can point to (such as how many benchmarks you pass/fail per cluster). This can roll up to a health metric used for areas of improvement.

When combined, NIST and CIS offer a top-down framework to guide your organization to security excellence, with a bottom-up set of technical benchmarks for accountability as you work on improving the security of each cluster.

Implementing these two frameworks within your organization can be daunting. The CIS document spans over 300 pages, describing each CIS Benchmark in detail. Meanwhile, the NIST framework is a 30-page document with general guidelines that your organization would need to concretize.

 

Learn More

Explore this page and schedule a demo to learn how CrowdStrike Falcon Cloud Security creates less work for security teams, defends against cloud breaches, and optimizes multi-cloud deployments.

Schedule Demo: Falcon Cloud Security

Lean on CrowdStrike for Kubernetes security guidance

NIST offers a set of functions, categories, and subcategories that an organization can use to plan how it will meet high-level cybersecurity goals. The NIST framework organizes itself with core functions that boil down to components that are much more specific and concrete to help mitigate organizational risk. The CIS Benchmarks for Kubernetes offer concrete implementation guidance that can fit into these categories; it’s a framework that gives individual pass or fail checks for properly configuring Kubernetes.

CrowdStrike is a proven leader in the cybersecurity space, and the CrowdStrike Falcon® platform helps organizations comply with the NIST and CIS frameworks. It helps organizations implement NIST controls, covering various levels of control families. Additionally, CrowdStrike has partnered with the CIS to build CIS Benchmarks into the Falcon platform, leading to swift setup of the CIS Benchmarks for Kubernetes.

If you’d like to see how the CrowdStrike Falcon platform can make it simple to secure your Kubernetes environments using the NIST and CIS frameworks, read how CrowdStrike can help you prepare for the future of NIST CSF and request a free trial to get started today.

 

Expert Tip

A cloud security assessment helps organizations evaluate their cloud infrastructure to determine if the appropriate levels of security and governance are implemented to counter challenges and risks that are unique to each organization. 

Learn more about CrowdStrike's cloud security assessment

Karishma Asthana is a Senior Product Marketing Manager for Cloud Security at CrowdStrike, based out of New York City. She holds a B.S. in Computer Science from Trinity College. With a background in software engineering and penetration testing, Karishma leverages her technical background to connect the dots between technological advances and customer value. She holds 5+ years of product marketing experience across both the cloud and endpoint security space.