| Area | Benefits |
| Visibility | - Delivers a comprehensive view of your Kubernetes environment, including all images, pods, deployments, namespaces, and configurations.
- Discovers and displays network traffic in all clusters spanning namespaces, deployments, and pods .
- Captures critical system-level events in each container for incident detection.
|
| Vulnerability management | - Detect host-level vulnerabilities and potential security threats in Red Hat Enterprise Linux® CoreOS.
- Scan images for known vulnerabilities in specific languages, packages, and image layers.
- Highlight the riskiest image vulnerabilities and deployments to prioritize response.
- Correlate vulnerabilities to namespaces, running deployments, and images.
- Categorize findings by platform, node, workload to simplify tracking and ownership.
- Enforce policies based on vulnerability details at build, deploy and runtime.
- Integrate ACS with third-party solutions using roxctl and/or the application programming interface (API) to provide vulnerability notifications in the tools teams use everyday (Jira and ServiceNow).
|
| Compliance | - Assess compliance with technical controls from security and regulatory frameworks, including CIS, payment card industry (PCI), NIST SP 800-53, DISA STIG, and NERC-CIP.
- View overall compliance across the controls of each standard with the ability to export evidence for auditors.
- Drill-down to detailed views of compliance results to pinpoint clusters, namespaces, nodes, or deployments namespaces that require remediation.
- Schedule compliance scans and automate creation of evidence-based reports.
|
| Network segmentation | - Visualize allowed vs. active traffic between namespaces, deployments, and pods, including external exposures at runtime.
- Identify running processes listening on ports.
- Identify anomalous network traffic and inform and enforce runtime policies.
- Alert on policy violations when forbidden traffic is observed.
- Generate a connectivity graph and show contextual diff between 2 versions of the application prior to deployment.
- Simulate network policy changes in runtime before they are implemented to minimize operational risk to the environment.
- Shift-left creation of Kubernetes network policies by analyzing application manifests prior to deployment.
|
| Risk profiling | - Heuristically ranks running deployments according to their overall security risk by combining factors such as vulnerabilities, configuration policy violations, and runtime activity.
- Track changes in the security posture of your Kubernetes deployments to validate the effect of your security team’s actions.
- Search running deployments in all clusters to model threat vectors and uncover risk patterns.
|
| Configuration management | - Deliver prebuilt DevOps and security policies to identify configuration violations related to network exposures, privileged containers, processes running as root, and compliance with industry standards.
- Analyze Kubernetes role-based access control (RBAC) settings to determine user or service account privileges and misconfigurations.
- Track secrets and detect which deployments use the secrets to limit access.
- Enforce configuration policies—at build time with CI/CD integration and at deploy time using dynamic admission control.
|
| Runtime detection and response | - Monitor events to detect anomalous activity indicative of a threat with correlation to Kubernetes objects.
- Implement non-destructive automated response using Kubernetes-native controls with minimal effect on business operations.
- Baseline process activity in containers to whitelist processes automatically, eliminating the need to manually whitelist.
- Use prebuilt policies to detect crypto mining, privilege escalation, and various exploits.
- Monitor Kubernetes admin events and block malicious behavior.
- Integrate with external security integration event management (SIEM) and security orchestration, automation, and response (SOAR) solutions to power remediation workflows.
|
| Security policy guardrails | - Identify security configuration weaknesses such as network exposures, privileged containers, processes running as root, with out-of-the-box policies that can be applied at build, deploy or runtime.
- Create custom policies based on Kubernetes-native constructs, including Kubernetes API, audit logs, namespace resources.
- Provide supply chain security by integrating Advanced Cluster Security with CI/CD pipelines to check for known vulnerabilities and misconfigurations prior to deployment.
- Verify image signatures for image attestation and integrity.
- Analyze Kubernetes role-based access control (RBAC) settings to flag user or service account privileges and misconfigurations.
- Track secrets and detect which deployments use the secrets.
- Scale management of policies through the use of Kubernetes labels and by managing policies as code.
|
| Integrations | - Provides a rich API and prebuilt plugins to integrate with DevOps systems, including CI/CD tools, image scanners, sigstore, registries, container runtimes, SIEM solutions, and notification tools.
|
