August 13, 2020 | Written by: Sai Zeng
Categorized: Hybrid Cloud
Share this post:
Today, traditional enterprises are looking for ways to leverage the cloud for their digital transformation. This is driven by the need to create new revenue streams, deliver superior user experience, and reduce capital and operational expenditure.
Hybrid cloud has emerged as the new normal for traditional enterprises. This is demonstrated by the fact that 94% of these enterprises today have a mix of cloud models – public, dedicated, private, and hybrid and 67% of them are using multiple public clouds.
Hybrid environments empower the enterprise to access ‘unlimited’ resources, services, and technologies to accelerate their innovation and their transformation. However, continuing to operate in a secure and compliant way — and adhering to the regulatory requirements across a growing number of providers, tools, and technologies — is a very complex and daunting task.
To make the situation more difficult, cyberattacks, data breaches and malware are on the rise. On average, over 40 vulnerabilities are reported daily based on the statistics from the National Vulnerability Database (NVD). The impact averages $3.86 million per breach, according to IBM’s 2020 Cost of a Data Breach Study. Within enterprises, the amount of work to manage security and compliance has become overwhelming, if not impossible.
To address these challenges, IBM Research has incubated and implemented a Kubernetes-based compliance framework to address risk within hybrid cloud environments. This framework provides a “single pane of glass” for your environments and applications and is a core component of IBM Cloud Pak for Multicloud Management, which was recently made generally available.
In this Kubernetes based hybrid control plane and policy enforcement framework, the hybrid control plane centralizes compliance management of all private and public clouds, as well as on-premises environments. The hybrid control plane and policy applications allows operators to apply a policy that is enforced, even as applications are edited and moved by development teams.
The framework monitors the ongoing security and compliance postures for a wide range of hybrid cloud resources and services such as Virtual Private Clouds (VPCs), Network, Storage, Virtual Machines (VMs), Kubernetes clusters and containers. (Figure 1).
Figure 1. Hybrid Compliance Framework applications
It provides near real-time visibility, enabling a quick response to any issues that surface. Policy as code and continuous compliance automation is our design philosophy. Policies are digitized and built at a microservice level, which can automatically be shared across all components wherever they run. The policy controls are enforced according to the pre-defined desired state, leveraging autonomous automation through policy controllers and operators. These desired compliance states, resources, controls and other critical compliance data elements are captured in the Hybrid Compliance Posture Collector and Datastore
The continuous resolution pattern reduces the chance of attacks and increases operation efficiency. In the case that issues cannot be fixed right away, an industry leading risk assessment method — – conducted by the risk analyzer — is employed which is based on Common Vulnerability Scoring System (CVSS). However, it goes beyond CVSS to consider if an attacker is actively weaponizing a vulnerability, by identifying the criticality of the exposed IT resources to the business. Only with such comprehensive measure can customers address the real risk on the resources that matter to their business.
Following is further detail on the Kubernetes-based hybrid control plane and policy enforcement framework, Hybrid Compliance Posture Collector and Datastore, and the risk analyzer.
Kubernetes based hybrid control plane and policy enforcement is designed to visualize and manage the security and compliance of hybrid applications and environments, addressing heterogeneity and complexity. Today, modern applications are using Kubernetes (K8s) containers, but a significant portion of such applications still need to work with existing non-containerized. These applications run in traditional environments and have stateful workloads due to the fact that a client’s journey to cloud can take up to several months or for client specific reason will remain non-containerized.
To converge the visibility and management of both K8s and non-K8s applications into one control plane, our IBM Research team experimented and extended the K8s native capabilities to represent and manage VMs resources and other non K8s resources. This way, they leverage the extensibility, portability, and openness of the K8s’s design. The increasing popularity of large and rapidly growing ecosystems also makes K8s stand out as the primary choice of a hybrid control plane.
In our design, a data structure representing a VM is defined as a Customer Resource Definition (CRD) and a VM instance is represented as Custom Resource (CR). The compliance policy is digitized as a CR with a structure which is both human readable and machine readable, allowing the policy to be executed in two modes, an inspection (scan only) mode and an enforcement mode. The policy execution is orchestrated through the VM Operator which is designed to monitor and act on the VM resources. Under the covers, the VM Operator instruments Ansible to connect to the target VMs and invoke the playbooks to perform the inspection (scans) and remediations (enforcement) runs. This design approach can be easily extended to manage other types of non-K8s resources through operators that leverage preferred automation tools. Following this approach, non K8s applications and non K8s resources can all be managed by one K8s control plane which can be accessed and operated via standard tools, command line interfaces (CLIs) and application programming interfaces (APIs).
Hybrid Compliance Posture Collector and Datastore is designed to store and manage the information of security and compliance state of hybrid environments and the individual resources (e.g. VMs, containers, network, VPCs, etc.) It provides data feeds for near real-time visibility of IT states, technical controls, risk assessment data sources, audit evidence gathering, and many other security intelligence including trending and aggregation. In the hybrid compliance posture datastore, compliance IT inventory, compliance policy groups, placement rule, and compliance state are the key data sources.
The compliance IT inventory data includes details about hybrid resources in order to uniquely identify each resource for the purpose of policy assignment, compliance state association, risk assessment, audit, etc. Compliance policy groups are a set of controls together representing regulatory standards such as NIST 800-53, Payment Card Industry (PCI) or Health Insurance Portability and Accountability Act (HIPAA). Policy inspection and enforcement produces compliance state information for each resource. Thanks to the fine granularity of the compliance state information made available in the datastore, and the association with the resources and policy controls, security practitioners can perform what-if analysis and answer many questions regarding the compliance posture and encountered risks. For example, what are all the issues found for a selected resource; which set of resources are compliant; which set of resources are not compliant and why; which set of resources are critical to the business with high risk; when can the high risk be addressed, and so on.
Risk analyzer enables assessment of the risk of the compliance posture considering comprehensive set of risk factors: exposure, weaponization, and impact of the deviations discovered through policy execution.
NIST Common Vulnerability Scoring System (CVSS) is the de-factor standard today for vulnerability risk assessment. However, CVSS risk assessment approach leverages a set of “clean room” metrics without considering what attackers are leveraging in the wild. For example, CVSS doesn’t differentiate the weaponized vulnerabilities from the non-weaponized vulnerabilities. As the result, organizations could prioritize the vulnerabilities with no known exploits over the vulnerabilities which are popular, and heavily targeted with many exploits among attackers, hence address less risky issues first.
In our approach, in partnership with IBM Security, we conduct assessment from all possible risk factors, exposure, weaponization, and impact. Exposure measures the accessibility of a resource to both internal teams and the outside world. Weaponization measures each vulnerability and mis-configuration’s level of exploitation in the wild in order to estimate their popularity among attackers. The consequence of a successful exploitation is measured by impact, which is a combination of the attacker’s ability to affect a resource and the client’s reliance on this resource. Our risk ranking approach comprehends all these risk factors into a risk score. This truly enables clients to address the risky issues with high priority.
In summary, we have implemented three key features in the recently released IBM Cloud Pak for Multi-cloud Management for operational compliance control and evidence collection. These features entail extensions to the K8s and non-K8s resources, compliance data store and operational risk assessment for compliance posture. These features are all key for the full stack compliance management of hybrid environments.