Operational security

Operational security overview

For operational implementations, HeartAI endeavours to provide modern and robust security profiles. Operational orchestration with Microsoft Azure Red Hat OpenShift provides an increased ability to meet demanding security requirements. As a platform extension to Red Hat OpenShift instances, Red Hat Advanced Cluster Security (RHACS) is a Kubernetes-native security platform that provides best-in-class security integrations and solutions for container-based environments. RHACS security capabilities ensure that Kubernetes-based infrastructure is continuously protected and secure.

OpenShift implementation

HeartAI orchestrates system services with the Kubernetes-compliant Red Hat OpenShift container platform. Further information about the HeartAI implementation of Red Hat OpenShift may be found with the following documentation:

OpenShift and the STRIDE threat model

HeartAI operational security implementations address many common security concerns. With reference to the STRIDE threat model:

Spoofing

  • Red Hat OpenShift operates with a least-privilege model, with identity and access management integrated into the system implementation. By default, worker-node containers run with a restricted Security Context Constraint which prevents container runtimes from performing privileged operations.

  • Internal communication between system components utilises mutual TLS, with identity certificates managed through the internal Red Hat Certificate Authority. Certificates are mountable into container runtimes by utilisation of Kubernetes ConfigMaps and Secrets.

Tampering

  • TLS encrypts all communication to the Red Hat OpenShift API.
  • The Red Hat OpenShift API interfaces all communication to the etcd cluster configuration database is through .
  • Operators provide the implementation for all integrated Red Hat OpenShift components, and regulation of these components is well-defined and closely monitored.
  • Red Hat CoreOS provides the container runtime, and Security-Enhanced Linux (SELinux) provides addition security management features for the Linux kernel.
  • Red Hat OpenShift Security Context Constraints allow administrators to manage the system component operational security profile, including interaction with container security runtimes.
  • By default, all workers have the restricted Security Context Constraint enabled, preventing worker container runtimes from performing privileged operations.

Repudiation

  • Logging occurs for all interactions with the Red Hat OpenShift API.
  • Red Hat Openshift allows auditd to be configured within the Red Hat CoreOS container runtime.
  • Red Hat OpenShift includes an optional Elasticsearch, Fluentd, and Kibana (EFK) logging stack.

Information disclosure

Denial of service

  • Red Hat OpenShift deploys multiple controller nodes in a high-availability (HA) configuration to avoid a single control plane node becoming a point of failure.

Elevation of privilege

External references

Further information about the Red Hat OpenShift security posture in relation to the STRIDE threat may be found with the following external references:

Red Hat Advanced Cluster Security implementation

Red Hat Advanced Cluster Security (RHACS) is a Kubernetes-native security platform that provides best-in-class security integrations and solutions for container-based environments. RHACS security capabilities ensure that Kubernetes-based infrastructure is continuously protected and secure.

RHACS collects, monitors, and evaluates system-level events including:

  • Process execution.
  • Network connections and traffic.
  • Access control and privilege escalation.

In combination with behavioral pattern base-lining, this allows for the detection of anomalous activity indicative of potentially malicious intent such as active malware, resource hijacking, unauthorised access control, and system intrusions.

Environments protected by RHACS are continuously scanned with reference to best practice compliance frameworks such as Center for Internet Security (CIS) benchmarks and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). RHACS supports DevSecOps by providing integrated workflows for CI/CD, including policy validation at deploy-time and runtime to restrict high-risk workloads from being deployed. By shifting security left, vulnerable and mis-configured images can be remediated with real-time feedback and alerts.

External references

Further information about Red Hat Advanced Cluster Security may be found with the following external references:

RHACS UI overview

The following image shows the RHACS overview web interface. This section of RHACS displays an overview of security, compliance, and resource management for Kubernetes-based clusters and resources. The overview web interface provides visualisations for:

  • A summary of compliance violations and risk severity in relation to rigorous compliance standards.
  • Compliance violations and risk severity corresponding to cluster instances.
  • Deployment prioritisation by risk severity.
  • Active violations over time.
  • Abnormal activity detections.
  • Continuous assessment of DevOps best practices.
  • Container compliance assessment against the Docker CIS compliance benchmarks.
  • Risk severity for Kubernetes events.
  • Network tooling risk evaluation.
  • Assessment of cluster privileges and permissions assignment.
  • Review of security best practices.
  • Risk severity of cluster-level modifications.
  • Analysis of vulnerability management.

rhacs-dashboard.png

RHACS UI network graph

The following image shows the RHACS network graph web interface. The network graph section of RHACS allows visualisation of network traffic and segmentation, and provides mechanisms to enforce network rules and policies. The network graph web interface provides:

  • A visualisation of cluster network topology and segmentation.
  • Cluster network traffic flow and metrics.
  • Functionalities to filter network visualisation by namespace or time window.
  • Network policy simulation tooling.

rhacs-network-graph.png

RHACS UI violations

The following image shows the RHACS violations web interface. The violations section of RHACS reports insights into Kubernetes-based resources across corresponding clusters. Violations are reported at the resource level, and information is described relating to resource-type, associated policy violation, policy enforcement, risk severity, policy category, resource lifecycle, and time of violation. The violations web interface provides:

  • A tabled report of cluster violations, including:
    • The resource entities where the violation exists.
    • The type of resource entities.
    • The compliance policy the entities are breaching.
    • Information about the enforcement status of the corresponding compliance policies.
    • The risk severity of the violation.
    • The risk category of the violation.
    • The cluster lifecycle that is associated with the resource entity.
    • The detection time of the compliance violation.

rhacs-violations.png

RHACS UI compliance

The following image shows the RHACS compliance web interface. The compliance section of RHACS allows for the auditing of Kubernetes-based clusters and container images against best practice policy and compliance frameworks. The compliance web interface provides:

rhacs-compliance.png

RHACS UI vulnerability management

The following image shows the RHACS vulnerability management web interface. The vulnerability management section of RHACS identifies vulnerabilities for Kubernetes-based clusters and associated container images. The vulnerability management web interface provides:

  • Visualisations of deployment risk by critical vulnerabilities and exposures.
  • Cluster-level reporting of container image risk.
  • Insights into the most frequently violated policies.
  • Recently detected vulnerabilities.
  • Deployment reporting for severe policy violations.
  • Reporting of orchestrator and Istio vulnerabilities.
  • Cluster vulnerabilities by frequency.

rhacs-vulnerability-management.png

RHACS UI configuration management

The following image shows the RHACS configuration management web interface. The configuration management section of RHACS monitors Kubernetes-based clusters for mis-configurations with reference to best practice policy and compliance frameworks. The configuration management web interface provides:

  • Configuration policy violation by severity.
  • Configuration policy pass rate for the CIS Docker v1.2.0 benchmarks.
  • User frequency for cluster admin role assignments.
  • Secret assignment frequency across deployments.

rhacs-configuration-management.png

RHACS UI risk

The following image shows the RHACS risk web interface. The risk section of RHACS estimates and prioritises the risk of corresponding deployments and suggests approaches for remediation. The risk web interface provides:

  • Report tables ranking the risk of cluster deployments.
  • Information about risk-associated deployments:
    • The deployment name.
    • Date of deployment creation.
    • Cluster allocation of the deployment.
    • Namespace allocation of the deployment.
    • Deployment risk assessment priority.

rhacs-risk.png