Problem Overview: Solving the security and management of dynamic Kubernetes environments is challenging. Traditional solutions fall short of addressing the complexities inherent in securing ephemeral IPs, dynamic pod lifecycles, and future-aligned network configurations.
This whitepaper addresses cloud native gaps, aligned closely with NIST 800-53r5 under the following control families: Access Control, Auditing and Accountability, and Incident Response.
Solution Highlight: Cilium, as a CNCF-graduated project and the only graduated CNI plugin, serves as the cloud native standard for secure and observable connectivity and offers an array of advanced functionalities that span networking to runtime through sub-projects Hubble and Tetragon.
Cilium, Hubble, and Tetragon simplify access control at the runtime and network layer, provide deep auditing and accountability data, and provide real-time and historical incident response across Linux environments.
Key Features: Cilium’s differentiators are advanced eBPF-powered networking, security, and observability features, which grant organisations Kubernetes identity awareness and fine-grained control. These capabilities facilitate easy-to-deploy implementation and validation of compliance principles in Kubernetes environments, supported by Hubble observability and Tetragon runtime features.
Target Audience: This document is tailored for technical compliance stakeholders, security teams, and platform engineering teams looking for a comprehensive solution to effectively manage Kubernetes environments and implement compliance principles using eBPF and Cilium.
This whitepaper focuses on publications from the NIST Computer Security Resource Center, namely the controls detailed in NIST SP 800-53r5 with some additional content from NIST SP 800-190; however, the applicability of these solutions is far more wide-reaching than just passing NIST assessments. NIST SP 800-53r5 is a widely used, industry-agnostic framework that shares many of the same principles as industry-specific standards like SOC2, ISO, HIPAA, USDP, FIPS, and more.