Feature Release: 18.7 – CIS Kubernetes Compliance Pack, Customized Harvesting, & More
Twice a quarter DivvyCloud releases a new version of our software, and we are excited to announce the final release of 2018! Collaboration with our customers and the broader community help shape these releases with improvements to core capabilities around discovery, analysis and automated remediation of cloud and container infrastructure as well as new features and support for the ever-expanding portfolio of services from the major cloud providers.
The primary focus of this release is on performance and optimization. We’ve dramatically updated some of our platform capabilities including a rewrite of our job scheduler which allows you to completely customize your multi-cloud configuration monitoring strategy. We’ve introduced event driven harvesting for AWS (GCP and Azure to come in future releases) to deliver an additional layer of monitoring and improve our real-time automated remediation capabilities. Our new CIS Kubernetes compliance pack allows customers to automatically realize their security postures in their Kubernetes environments (like EKS, AKS, GKE). And finally, our support for Amazon Web Services, Microsoft Azure, and Google Cloud Platform has increased with more than 100 new filters, actions, and general enhancements.
- CIS Kubernetes Compliance Pack
- Lots of enhancements, like new filters (we now have more than 700 total) and added support for AWS, GCP, and Azure.
- New Job Scheduler with Custom Harvesting Strategies
- Pack Compliance Detail by Account
Kubernetes is becoming the container orchestration technology most prevalent across enterprises. As Kubernetes grows in popularity, so too have security concerns about the technology. The publication of CIS Benchmarks for Kubernetes in 2017 by the Center for Internet Security was a major step forward to establish a formal approach to using Kubernetes securely. The CIS Benchmarks for Kubernetes are a comprehensive set of prescriptive security guidelines intended to provide companies a way to implement safe and reliable Kubernetes clusters. The latest benchmark for Kubernetes can be found below.
The CIS Benchmarks for Kubernetes define over 120 guidelines rules. These rules apply to master and worker nodes. They apply to the control plane components — Controller Manager, Scheduler, API Server and etc. In addition, the rules cover the components that are part of each worker node — kubelet, kube-proxy, cAdvisor and container network interfaces. With this release, we provide automated discovery, monitoring, remediation, and audit of 42 of these rules. DivvyCloud is well suited to address the security concerns of any company using Kubernetes in the cloud or in private data centers. Importantly, we view container security holistically, including relevant insights about the supporting and surrounding cloud infrastructure, and important security areas like Identity & Access Management.
DivvyCloud’s automation allows developers to engage in more experimentation and innovation with Kubernetes while also providing the trust and verification that system administrators need to ensure that work is being done according to industry standard security guidelines and well-established best practices. DivvyCloud our approach to supporting the CIS Benchmarks for Kubernetes provide a competitive advantage that is unequaled for companies that put Kubernetes at the forefront of their digital infrastructure.
- Amazon Web Services
- Support for Container Registries and Images
- Support for Account Level S3 Bucket Access Controls
- Support for EC2 instance hibernation
- Support for new A1 and C5n instance types
- Event driven harvesting (EDH) support for VPC Flow Logs, Dedicated Hosts, Network Peers, Memcache and Elasticsearch Instances, and RDS Aurora clusters
- Enhanced visibility and lifecycle support for RDS Aurora Clusters
- Storage of the resource ARN across all resource types
- Support for AWS Cloudwatch Logs
- Added support for us-gov-east-1 region
- Add visibility into whether or not an instance is a spot instance
- Support for SageMaker Notebooks
- Add support for tags for IAM users/roles
- Add ability to suspend and resume processes for Autoscaling Groups
- Support for the new Stockholm region (eu-north-1)
- Microsoft Azure
- Support for Azure Kubernetes Service (AKS)
- Support for Cosmos DB
- Support for Graph RBAC
- Support for Databases
- Support for Network Peers
- Visibility into network limits/usage
- Google Cloud Platform
- Support for Pub/Sub
- Support for Service Account Keys
- Support for tracking VPC flow logging and Google Private Access at the subnet level
- Support for identifying legacy networks
- Enhanced GKE visibility and configuration checks
- Enhanced visibility into GCP Storage buckets
Many of our customers have more than 500 cloud accounts with projections they’ll exceed 1,000 accounts in the coming months. This level of scale, once quite rare, is becoming commonplace and as a result we have rewritten our job scheduler from the ground up and introduced other performance enhancements. These improvements allow DivvyCloud’s software to ensure the security and compliance of our customers environments, no matter what size and complexity, as they aggressively embrace multi-cloud environments for new projects.. Importantly, the job scheduler now allows you to completely customize your multi-cloud data harvesting strategy.
Customers now have the ability create and modify harvesting strategies by cloud, region, and by resource. In this way, you can better match your harvesting resources with your harvesting needs. For example, you can lower the harvesting cadence in regions where you do not deploy, while not leaving open blind spots to unauthorized usage in those same regions.
This view, in the new section of our tool, has an abundance of data in it.
If you start from left to right, what this is going to give you is the job that we’re using to harvest data down, what resource type it aligns to in DivvyCloud, and then the resource type within each cloud provider. Then for each resource, you have our default harvesting strategy and the customer override to meet their particular requirements.
Let’s take a look at an example Amazon strategy.
Customers will frequently go into non-continental U.S. regions and they slow down harvesting because they’re a U.S. based business and they don’t need to harvest in Asia Pacific or in India as frequently. Customers will move the slider (in the top left) to go twenty-five times slower and they will see the totals change in the “override column” as the harvesting strategy saves.
Customers who have hundreds of cloud accounts want to be able to see “what are my least compliant clouds vs. my most compliant clouds.”
This data can be exported via PDF so you can get it at the below view if you want to do a quick report of how you’re trending for CIS. You can go ahead and send this off to your compliance team.
By drilling into account details (below) you see an overall report by day of how you’re trending for the selected pack. You are failing this check if you have one non-compliant resource as it pertains to that check. So it doesn’t matter if you have one API key inactive or a thousand, it’s a non-zero number so you’re clearly failing that particular check. You can also download and export this report as well.
DivvyCloud mitigates security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.