Compliance Frameworks

Security compliance frameworks are essential for safeguarding sensitive data—personal information, health records, payment details—and ensuring system integrity and legal compliance. Ignoring these guidelines can lead to data breaches, hefty fines, and loss of customer trust. In this lesson, we’ll explore the major frameworks and how they apply to Kubernetes environments.

Non-compliance can result in severe penalties, data exposure, and reputational damage.

To begin, here’s a high-level comparison of the frameworks we’ll cover:

Framework	Scope	Key Requirements
GDPR	EU personal data protection	Encrypt data at rest, restrict data access
HIPAA	US healthcare PHI	TLS encryption, strict access controls, secure secrets
PCI DSS	Payment card data	Encrypt in transit & at rest, auditing, strong auth
NIST	Cybersecurity best practices	Risk assessments, security controls, periodic audits
CIS Benchmarks	IT system hardening	Secure configs, RBAC, network policies, logging

The GDPR is an EU regulation that protects individuals’ personal data and privacy rights. In a web application context, GDPR compliance often includes:

Encrypting user data stored in your MySQL database (data at rest)
Ensuring only authorized back-end services can access personal data

The image is about the General Data Protection Regulation (GDPR) and includes icons representing the European Union and personal data, along with key points on securing and encrypting user data. It also features logos related to data protection standards.

HIPAA (Health Insurance Portability and Accountability Act)

HIPAA is a U.S. regulation focused on protecting sensitive patient health information (PHI). For applications handling patient data, you must:

Encrypt all data transfers (front-end ↔ back-end ↔ database) using TLS
Implement strict access controls to prevent unauthorized access
Securely configure Kubernetes Secrets for application use

Ensure your TLS certificates are managed via a secure certificate authority and rotated regularly.

PCI DSS (Payment Card Industry Data Security Standard)

The PCI DSS applies to any system processing payment card data. Key requirements include:

Encrypting cardholder data in transit and at rest
Enforcing strong access controls
Monitoring and auditing all access to payment information

The image outlines the Payment Card Industry Data Security Standard (PCI DSS) with icons and text describing its components, such as restricting access, network segmentation, and logging for cardholder data. It also includes logos for related standards and organizations like GDPR, NIST, and CIS.

NIST (National Institute of Standards and Technology)

NIST publishes the Cybersecurity Framework to improve the security and resilience of information systems. For web applications, typical NIST controls involve:

Conducting regular risk assessments to identify vulnerabilities
Implementing security controls (firewalls, IDS/IPS)
Performing periodic security audits

The image is about the National Institute of Standards and Technology (NIST) and its role in cybersecurity, highlighting its global recognition, risk assessments, security controls, and audits. It includes icons and text related to cybersecurity practices.

CIS Benchmarks (Center for Internet Security)

CIS provides detailed benchmarks for securing IT systems, including Kubernetes. These guidelines cover:

Secure configuration of control plane components (API server, etcd, kubelet, controller-manager, scheduler)
Authentication and authorization (enforce RBAC, disable anonymous access)
Logging, monitoring, network policies, and pod security

Tools like Aqua Security’s kube-bench automate verification of these benchmarks. Below is a sample output from running kube-bench against a Kubernetes cluster:

[INFO]  1.1 API Server
[FAIL]  1.1.1 Ensure that the --allow-privileged argument is set to false (Scored)
[FAIL]  1.1.2 Ensure that the --anonymous-auth argument is set to false (Scored)
[PASS]  1.1.3 Ensure that the --basic-auth-file argument is not set (Scored)
[FAIL]  1.1.4 Ensure that the --insecure-allow-any-token argument is not set (Scored)
[FAIL]  1.1.5 Ensure that the --kubelet-https argument is set to true (Scored)
[FAIL]  1.1.6 Ensure that the --insecure-bind-address argument is not set (Scored)
[FAIL]  1.1.7 Ensure that the --secure-port argument is not set to 0 (Scored)
[FAIL]  1.1.8 Ensure that the --profiling argument is set to false (Scored)
[PASS]  1.1.9 Ensure that the --repair-malformed-updates argument is set to AlwaysAdmit (Scored)
[PASS]  1.1.10 Ensure that the admission control policy is set to AlwaysPullImages (Scored)
[PASS]  1.1.11 Ensure that the admission control policy is set to DenyEscalatingExec (Scored)
[PASS]  1.1.12 Ensure that the admission control policy is set to SecurityContextDeny (Scored)
[PASS]  1.1.13 Ensure that the admission control policy is set to NamespaceLifecycle (Scored)
[FAIL]  1.1.14 Ensure that the --audit-log-path argument is set as appropriate (Scored)
[FAIL]  1.1.15 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)
[FAIL]  1.1.16 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)
[FAIL]  1.1.17 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)
[FAIL]  1.1.18 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
[FAIL]  1.1.20 Ensure that the --token-auth-file parameter is not set (Scored)
[FAIL]  1.1.22 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)

The image is about the Center for Internet Security (CIS) and features icons and text related to benchmarks, Kubernetes components, and authentication and authorization. Logos for GDPR, PCI, and NIST are also visible.

Below is a visual comparison of these frameworks—when they apply, their focus areas, and recommended tools:

The image is a table comparing different compliance frameworks, including GDPR, HIPAA, PCI DSS, NIST, and CIS, detailing their purposes, application timing, key focus areas, usage, and recommended tools.

The image is a summary slide listing five key points about compliance frameworks, including data security, encryption requirements, security audits, compliance assessments, and monitoring tools.

Key takeaways:

Compliance frameworks guide data protection, encryption, and access controls
GDPR targets personal data of EU citizens
HIPAA safeguards protected health information (PHI)
PCI DSS secures payment card data
NIST offers risk assessment and security control guidelines
CIS Benchmarks provide granular, automated checks for Kubernetes security

Introduction

Overview of Cloud Native Security

Kubernetes Cluster Component Security

Kubernetes Security Fundamentals

Kubernetes Threat Model

Platform Security

Compliance and Security Frameworks

Compliance Frameworks

HIPAA (Health Insurance Portability and Accountability Act)

PCI DSS (Payment Card Industry Data Security Standard)

NIST (National Institute of Standards and Technology)

CIS Benchmarks (Center for Internet Security)

Links and References

Watch Video

Introduction

Overview of Cloud Native Security

Kubernetes Cluster Component Security

Kubernetes Security Fundamentals

Kubernetes Threat Model

Platform Security

Compliance and Security Frameworks

​GDPR (General Data Protection Regulation)

​HIPAA (Health Insurance Portability and Accountability Act)

​PCI DSS (Payment Card Industry Data Security Standard)

​NIST (National Institute of Standards and Technology)

​CIS Benchmarks (Center for Internet Security)

​Links and References

Watch Video

GDPR (General Data Protection Regulation)

HIPAA (Health Insurance Portability and Accountability Act)

PCI DSS (Payment Card Industry Data Security Standard)

NIST (National Institute of Standards and Technology)

CIS Benchmarks (Center for Internet Security)

Links and References