Container Compliance

Container Compliance: GDPR, PCI DSS, HIPAA and SOC 2

What Is Container Compliance?

Containerized architectures have revolutionized the way software is developed, tested, and deployed. Ensuring container compliance and compliance security controls for this new type of infrastructure poses significant challenges.

Most industry standards and regulations were created before containers became popular, and therefore these standards have no specific provisions for securing containers. At the same time, containers create new types of security risks that must be addressed to prevent compliance violations. This challenges DevOps teams and IT operations to map compliance requirements to new containerized environments.

This is part of a series of articles about container security.

In this article:

Container Compliance Challenges

Here are common challenges most organizations face when implementing container compliance:

Vulnerability management and network security
Many containers are based on open source images that can potentially contain vulnerabilities. Deploying these containers can introduce critical risks to the environment. It is also difficult to locate containers and monitor network traffic between them. However, monitoring is essential to identify and remediate vulnerabilities before deploying to production, and to prevent unauthorized access and lateral movement.

Threat analysis and mitigation and access control
Using policy-based security rules and automatic scans, you can protect containerized environments against malicious activity. These security measures typically employ threat analysis to monitor the environment and policies to mitigate issues.

You should also use user access controls to ensure only users and applications meeting specific requirements get access to a container, limiting access to the minimum needed. Real-time visibility and event auditing trails can help protect data in containerized environments, logging and auditing access to sensitive data and systems according to compliance standards.

Related content: Read our guide to container security scanning

GDPR Compliance for Containers

The General Data Protection Regulation (GDPR) applies to organizations handling the personal data of EU citizens. It specifies various requirements for data protection, such as:

  • Applying encryption and pseudonymization to personal data.
  • Maintaining the confidentiality, integrity, and availability (CIA) of all systems involved in data processing.
  • Regularly testing.
  • Setting up data restoration.

Organizations trying to achieve GDPR compliance for containerized workloads must take a multi-pronged approach to container security. Here are several GDPR security requirements for containerized workloads:

  • Scanning images for vulnerabilities.
  • Limiting access to sensitive data.
  • Enforcing strict network access controls.
  • Monitoring for threats in real time.

PCI DSS Compliance for Containers

The Payment Card Industry Data Security Standard (PCI DSS) defines a framework that businesses must follow to reduce the risk of fraud and data breaches. It applies to organizations accepting or processing payment card data. Therefore, PCI DSS container compliance is mandatory for container workloads related to most eCommerce and retail applications.

PCI DSS compliance includes 12 main requirements, including disabling default values for passwords, maintaining firewalls, safely storing cardholder data, regularly updating antivirus programs, and meeting data security requirements.

It is difficult to reconcile PCI DSS requirements with container workloads, because the standard is not prescriptive about how enterprises should meet these requirements. Tools like Kubernetes Security Posture Management (KPSM) platforms can help businesses achieve PCI DSS compliance by automatically defining security policies, scanning container workloads on Kubernetes clusters, detecting misconfigurations, and identifying issues with role-based access control (RBAC).

Related content: Read our guide to PCI compliance

HIPAA Compliance for Containers

The Health Information Portability and Accountability Act of 1996 (HIPAA) defines a compliance framework that governs patient privacy across all health records. In 2003, The Security Rule was added to govern digital health records.

Any entity handling individually identifiable electronic protected health information (ePHI) must comply with HIPAA requirements, including applications used by healthcare providers for care, billing, or communications purposes.

The HIPAA Security Rule standards include physical, technical, and administrative safeguards. The technical safeguards are related to the IT infrastructure and include access control, integrity, audit controls, transmission security, and authentication.

HIPAA compliance challenges
HIPAA’s security framework provides high-level guidance without specific instructions explaining how to meet these requirements for containers and Kubernetes. It is also unclear what the framework considers protected or unprotected health information.

Mast organizations attempt to achieve HIPAA compliance by implementing the NIST SP 800-190 framework, which defines best practices and guidelines for container security. It provides a container-specific framework that can make it easier to demonstrate compliance.

Implementing the NIST SP 800-190 framework is not enough to meet HIPAA requirements. HIPAA compliance requires additional measures, like data segregation controls, to protect ePHI and keep it separate from other data types, and keeping backups of configuration files to ensure you can fully recover the application.

Read our white paper: HIPAA compliance for containers and Kubernetes

SOC 2 Compliance for Containers

Service Organization Control (SOC) reports are the main way for service providers to demonstrate the effectiveness of their security controls for protecting customer data. The American Institute of Certified Public Accountants (AICPA) is responsible for issuing these reports.

As a service organization, you may need to demonstrate SOC 2 compliance to work with other companies (user entities). You have the final responsibility for managing customer data. SOC 2 is the most important security-related SOC report.

Creating custom SOC 2 compliance reports
An important difference between SOC and other compliance standards is that there is no list of predefined controls to implement. Each SOC report is specific to the services provided to a user entity. Thus, service organizations may have different SOC reports for each user and service.

The auditor must evaluate and approve a custom control list when creating a SOC report. The AICPA defines important security, availability, processing integrity, confidentiality, and privacy guidelines. It covers trust and service principles to help curate SOC 2 controls.

SOC 2 compliance in Kubernetes environments
Ensuring SOC compliance in Kubernetes requires a novel approach. Application teams must clearly understand the controls required to secure containerized workloads. Monitoring compliance continuously throughout the project is also important, allowing teams to manage security risks and pass data security audits confidently.

Related content: Read our guide to Kubernetes compliance

How Automated Policies Can Improve Container Compliance

Continuous compliance means following best practices for keeping containers running. If you deploy containers on a regular basis (monthly, weekly, or daily) you cannot rely on quarterly compliance assessments to find weaknesses. Continuous monitoring of these containers is essential, but puts a major burden on IT and security teams.

The key to ongoing compliance is implementing best practices in policies, and translating them into code; this is called policy as code (PaC). Policies are best practices encoded in a machine-parsable, auditable, and reproducible format. Instead of creating a list of best practices manually, create a policy repository that forms a guardrail for your container infrastructure.

Developing an organizational strategy is an iterative process that can involve teams implementing build and deployment pipelines, container infrastructure, and security policies. Start small, build a list of critical requirements based on the relevant compliance standards, and add incrementally as your process matures. Reinforce it with best practices derived from your organization’s unique experience.

Finally, set up a mechanism to automatically apply these policies. Automation is critical to continuous compliance, to ensure that policies are applied consistently across all workloads. It can eliminate the possibility of human error and save countless hours of repetitive manual tasks.

Container and Kubernetes Compliance with Calico

Calico supports major compliance standards including PCI DSS, HIPAA, GDPR, SOC 2, CCPA, and any custom frameworks. Calico Cloud provides Kubernetes users with the following features to address compliance requirements:

  • Continuous compliance – Monitor and log changes to security policies based on your organization’s time-based requirements. Maintain your security posture to meet compliance requirements.
  • Compliance reports – Define customer compliance reports and run reports on demand to provide proof of compliance.
  • Policy implementation – Create policies that are Kubernetes-native and based on metadata and labels instead of IP addresses.
  • CIS Benchmark reports – Get out-of-the-box CIS benchmark compliance reports. Use the GlobalReport resource to schedule reports and set compliance thresholds.

Next steps:

Join our mailing list​

Get updates on blog posts, workshops, certification programs, new releases, and more!