Alcide Simplifies PCI, GDPR Compliance for Kubernetes

Alcide announced today that it has added support for both the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Rule (GDPR) enacted by the European Union to the Alcide Kubernetes Security Platform.

Company CTO Gadi Naor says organizations can now run scans of Kubernetes clusters to make sure they continuously comply with either compliance requirement.

Alcide already provides tools that make use of machine learning algorithms to identify issues stemming from Center for Internet Security (CIS) Benchmarks, misplaced secrets, excessive access to secrets, deviations from best practices for ingress controllers and deviations from best practices for deploying Kubernetes on Amazon Web Services (AWS).

Naor says the challenge organizations such as retailers face is, in addition to trying to navigate increasingly complex requirements such as PCI DSS, they are deploying a Kubernetes platform that can be misconfigured easily, given all its capabilities. Retailers are supposed to be able to create audit trails showing that their Kubernetes deployments are continuously compliant with a PCI DSS standard that requires credit card data to always be protected. The Alcide Kubernetes Security Platform can ensure that a firewall has been properly configured to protect cardholder data.

The PCI DSS standard is especially challenging because it was developed before Kubernetes became a de facto standard for deploying cloud-native applications. IT teams, for example, will need to determine whether a server definition as understood by the authors of the PCI standard is akin more to a pod, a node or a cluster, notes Naor. Kubernetes also assumes the networking environment is flat, while the PCI DSS standard calls for network segmentation.

GDPR, meanwhile, derives a set of requirements for how personal data is managed. That requirement is now being expanded rapidly via the implementation of similar rules such as the California Consumer Privacy Act (CCPA). Similar data privacy rules are now being debated within at least 25 other states, which in time would then force the U.S. Congress to come up with a national standard.

A recent survey published by Alcide finds 44% of respondents are using Kubernetes in a production environment today. As such, many organizations are now struggling to maintain compliance with a raft of mandates on a Kubernetes platform that is designed to encourage IT organizations to update their IT environments rapidly. The probability of misconfiguring a Kubernetes cluster is understandably high.

Of course, many compliance mandates share a common set of controls. However, they are different enough to often require dedicated teams to address. Alcide is making a case for automating the management of compliance by treating compliance as a distinct class of code to be automated.

It’s not at all clear how much DevOps teams might be assuming responsibility for compliance going forward. However, at the very least, DevOps teams should be able to scan Kubernetes clusters to make sure they comply with all applicable mandates. After all, every minute spent with auditors is time that otherwise could be spent building or deploying applications.

Mike Vizard

Mike Vizard is a veteran IT journalist with more than 25 years of experience covering the technology industry, having previously served as Editor-in-Chief of both CRN and InfoWorld and as editorial director for Ziff-Davis Enterprise, where he oversaw titles including eWEEK, CIO Insight and Baseline. Over his career he has also edited or contributed to a wide range of enterprise technology publications, including IT Business Edge, Channel Insider, ComputerWorld, TMCNet and Digital Review, and he later led editorial for CTOEdge.com. His reporting and analysis span software development, cloud computing, cybersecurity, IT channel strategy and, more recently, artificial intelligence and DevOps practices. A recognized voice in enterprise IT journalism, Vizard is known for tracking emerging technology trends as they move from early adoption into mainstream enterprise use. He now serves as Chief Content Officer for Techstrong Group, where he oversees editorial strategy across the full network — DevOps.com, Security Boulevard, Cloud Native Now, Digital CxO, Techstrong.ai, TechStrong.IT, Techstrong Semi and PlatformEngineering.com — in addition to writing and hosting content for Techstrong TV and the Techstrong Gang podcast.

    Mike Vizard has 1813 posts and counting. See all posts by Mike Vizard