StrongDM manages and audits access to infrastructure.
- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
The CIS Kubernetes Benchmark is a set of prescriptive recommendations assembled to guide administrators to achieve good security hygiene and results in strengthened security outcomes for their Kubernetes environments.
Because the recommendations are prescriptive (as they are for most of the CIS Benchmarks), they describe a specific command or setting to be made on a Kubernetes component, what problem the recommendation mitigates, the test for a successful outcome and a remediation to satisfy the recommendation.
At the end of the recommendation made by the CIS Benchmark, there is a mapping to specific CIS Critical Security Controls Safeguards. The Controls Safeguards are aligned with StrongDM’s capabilities.
CIS Recommendations Guidelines for StrongDM
Our role in helping Kubernetes admins focuses on proactive prevention. Meaning, of the relevant recommendations, StrongDM would prevent the issue described from happening in the first place.
StrongDM proactively prevents the following issues addressed by CIS for Kubernetes: the Kubernetes API service (Section 1.2), Authentication and Authorization System (Section 3.1), and the RBAC and Service Accounts Components (Section 5.1).
1. Standing access and standing privileges
StrongDM’s Access Workflows and Just-In-Time access capabilities allow teams to implement access to critical Kubernetes administrative components only when needed and for the duration required. Eliminate standing access and privileges to Kubernetes admins and grant access to components only when needed via automated and manual workflows.
2. Credentials exposure
StrongDM never exposes the credentials needed to access target resources, including Kubernetes, to end users. Rather, the credentials are obtained from a secure vault of your choosing, and exchanged between the StrongDM Gateway and Resource in an encrypted exchange and are never stored on permanent media.
3. Least privilege reporting
The StrongDM Least Privilege Report provides information about access grants to Kubernetes and other resources that have been inactive for a certain period of time, displaying information such as the user’s name and permission level, the name and type of resource they were granted access, and the last time the resource was accessed. This report allows admins to easily see which users are not using the resources available to them, and assess whether or not their access should be revoked.
💡Make it easy: Fine-tune least privilege by analyzing and responding to comprehensive access insights. Easily report on which privileges are being used (or not). Try it for yourself.
4. Session recording and audit logs for auditing and visibility
StrongDM provides session recordings and audit logs for all access to Kubernetes resources, including the kubectl commands issued, which are critical for identifying root cause and responsible entity in security incidents. This improves Mean Time to Investigate (MTTI) and Mean Time to Respond (MTTR) to any incident.
Conclusion: StrongDM Is Critical for Implementing CIS Kubernetes Benchmark
StrongDM provides a robust set of capabilities that simplify access, while maintaining the most secure posture for administrative access to Kubernetes. Support of Kubernetes is just one component that makes up our Zero Trust PAM platform. Knowing that Kubernetes hosts and is adjacent to a myriad of applications and services critical to your business, we also support resources such as databases and cloud accounts, legacy as well as cloud-native applications, and we centralize access to every one of those resources.
Want to see more Zero Trust PAM Kubernetes in action? Book a demo.
About the Author
💙 this post?
Then get all that StrongDM goodness, right in your inbox.
You May Also Like
Kubernetes is a popular tool for managing synchronized groups, or clusters, of computers. Users employ it to configure and deploy applications in parallel across clusters on your networks. The kubectl command line tool in Kubernetes lets you send instructions to and receive information from your clusters. This kubectl cheat sheet is a quick guide to getting started with kubectl, including installation, configuration, key commands, and efficiency tips.
Kubernetes pod restarts are important for efficiently managing containerized applications in a dynamic microservices architecture. Understanding how to effectively restart pods using kubectl will help you streamline operations and minimize downtime. This article describes five methods to restart Kubernetes pods empowering you to maintain application health and performance confidently.
If you’re Kuberntes admin and you’re not familiar with the tactics outlined in the MITRE ATT&CK framework, this blog post is for you. MITRE ATT&CK framework is an extensive knowledge base of tactics and techniques employed by bad actors that defensive security experts use to help defend their organizations against attack, and many times, used by their offensive security counterparts to test their weaknesses.
Secure access controls must be applied universally and consistently across all your infrastructure—from the Linux boxes in your datacenter to your Kubernetes clusters in AWS. StrongDM Dynamic Access Management is uniquely positioned to provide seamless, secure access across your entire stack, simplifying access management and compliance for your legacy systems and modern cloud stack.