DevSecOps compliance: Make your auditor's job easier!

Compliance is the topic of this entry in Red Hat’s Security series! In March 2021 the Red Hat Security Ecosystem team began introducing DevOps Security topics to help you learn how Red Hat weaves together DevOps and security to master the force called DevSecOps.  We explain how to assemble Red Hat products and our security ecosystem partners to aid in your journey to master deploying a comprehensive DevSecOps solution.

Compliance can mean a lot of different things, but in this post we will focus on regulatory compliance, and what to think about when attempting to audit and meet compliance requirements within a Red Hat OpenShift deployment. 

Compliance methods and technologies help you adhere to industry and government regulations and corporate policies. They automate compliance validation and reporting throughout DevOps, helping you simplify audits and avoid costly regulatory fines and lawsuits.

However, getting security right is very complicated with endless areas of confidentiality, integrity and availability.  A growing number of industries have legal or contractual obligations towards compliance and have created industry standards. 

Security software vendors have created tools to allow end-users, service providers, and other product builders to more easily evaluate security compliance against the whole framework versus looking at hundreds of different controls. Here’s a sample of some of the common compliance standards we run into:

• Payment Card Industry Data Security Standard (PCI-DSS) increases controls around cardholder data to reduce credit card fraud.

• ISO/IEC 27001 is a set of international standards on how to manage information security to help organizations make the information assets they hold more secure.

• U.S. Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law to protect sensitive health information from being disclosed unless the patient consents. .

• European Union General Data Protection Regulation (GDPR) harmonizes national data privacy laws in the European Union to protect the privacy of citizens of the EU..

• Security Technical Implementation Guides (STIGs) are configuration standards consisting of cybersecurity requirements for a specific product used widely in the Federal industry.

• Federal Risk and Authorization Management Program (FedRAMP) is a United States government program to standardize security assessments, authorization, and continuous monitoring for cloud products and services.

The Red Hat DevSecOps Framework (diagram above), includes two compliance methods: compliance audit and technical controls. 

Compliance audit is a function which typically scans a config, container, cluster, or system to report if the object in question is in compliance or not.  In the DevSecOps Framework, “compliance controls” weave automation with technical controls. This can help automate and enable proper actions, or prevent actions that would result in non-compliance.  As an example, a few concrete examples of what items are audited:

• Configuration of your deployments for production readiness and security, i.e. required labels, and privileged containers.

• Configuration of your Dockerfiles, i.e. exposed ports, and required Dockerfile lines.

• Known vulnerabilities affecting the base image and application dependencies.

• Risk analysis of packages in your images. For example, we assess that including nmap in your images increases risk.

These items are typically audited throughout the life cycle within integrations at build automation, container admission and the running cluster as shown in this table:

... # For 4.6, verify that the authorization-mode argument includes RBACoc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["authorization-mode"]'

Top 5 todos to help pass your audit

So, how are you going to make your auditor’s job easy and pass your first audit?  Well, Bill Montgomery and Nathan Kinder, a couple of Red Hat Engineering Senior Managers, have expertise in completing product compliance audits and offer the following todos to get started: 

1. Documented Policies and Procedures: Documentation is typically greater than 50% of an Audit. Policy documentation is all about what you do for things like access, change control, backups and data retention. Procedure documentation is how you do things, for example, how you scan for vulnerabilities or how you delete data.

2. Change Control: Ensure that all changes to production are auditable and follow the principle of Separation of Duties to ensure no individual can affect a change to production acting alone.  GitOps is a process used frequently in DevOps that can implement Change Control efficiently and effectively.

3. Encryption everywhere: All current compliance frameworks require encryption for data at rest (i.e., on disk) and in transit (i.e., network communications). Especially for network encryption, ensure server processes are configured to enforce negotiation of strong security protocols (TLS >= 1.2, HSTS).

4. Vulnerability management: Ensure your development process is scanning for software vulnerabilities early and often.  For containers, vulnerabilities can exist in all layers of the stack, including the operating system, the cluster, the base layer, any application services added to run your application like web servers or 3rd party dependencies, and the custom code that makes up the application itself.

5. Security Monitoring: FedRAMP calls this set of practices “ConMon” or “Continuous Monitoring”, which require some frequency and breadth/depth of security monitoring.   Ensure to aggregate security data from things like audit logs, file integrity scans and vulnerability scans and send them to some type of SIEM. Use software to analyze security events and alert incident response to anomalous audit events.

Getting started on these five items can help go a long way to helping you pass your audit, and impress your auditor. 

However, be sure to follow all the specific framework requirements for the compliance framework you are trying to achieve.  Hopefully, we provided some insight on Compliance for DevSecOps, with a few key things to know when integrating compliance audits and technical controls in your software life cycle.  For more information, please visit www.red.ht/DevSecOps or email us at DevSecOpsHelp@redhat.com.