By Glen Kosaka, VP, NeuVector
Healthcare organizations under the purview of HIPAA regulations know full well how critical demonstrable security is to avoiding regulatory action, steep fines, and reputational harm. But many businesses now taking advantage of Kubernetes and containerized environments have even more questions than usual when it comes to implementing compliance-achieving security processes.
Protecting sensitive data always starts with best practices for vulnerability management and configuration auditing. But in a production environment, protecting containers from exploits and data breaches requires cloud-native network security designed to protect the Kubernetes network.
Data breaches typically use the network to gain entry, expand, and ultimately steal data. But how can this suspicious activity be detected in a container network? The answer lies in network-based container segmentation and data loss prevention (DLP) strategies. Getting this right enables healthcare organizations to protect their new Kubernetes environments in accordance with HIPAA mandates.
Within Kubernetes environments, containers are deployed for applications that are storing, processing, and transmitting sensitive, HIPAA-protected data. Containers may also store secrets that are used to access applications – presenting even more avenues for nefarious attackers to put PHI at risk. (A quick note that as a best practice, a dedicated and secure secrets management tool should be used, with additional secrets auditing implemented to ensure compliance.) There are also scenarios where a healthcare employee may ignore security procedures, either for efficiency’s sake or simply by mistake. With a container DLP strategy, though, healthcare firms can introduce the detection capabilities and security policy enforcement needed to identify potential exposures of PHI data and prevent data breaches – both those that are malicious and accidental.
Container DLP As A Strategy To Defend HIPAA-Protected Data
As with all effective security plans, you should strive to have layered safeguards when utilizing a container DLP. The level of monitoring and security controls put in place to protect Kubernetes environments should be just as extensive as the task of achieving HIPAA regulatory compliance calls for. This means, for example, introducing data encryption that is in-line with HIPAA requirements. It also necessitates using careful detection methods to proactively recognize dangers to PHI and other sensitive data.
Encryption Within The Kubernetes Environment
HIPAA more or less requires encryption. The regulation states that PHI is considered secure if it is “rendered unusable, unreadable, or indecipherable to unauthorized persons.” Encryption is a basic but crucial measure that prevents sensitive data from being exposed – protecting both data at rest and data in transit.
Putting a container DLP strategy in places accomplishes this by requiring that all traffic between Kubernetes pods (internal east-west connections within the Kubernetes environment) is encrypted whenever transmitting sensitive data. Ingress and egress connections to and from the container cluster must also be encrypted. Data storage (data at rest) that is written to and accessed by containers also needs to be protected by encryption. To secure pod-to-pod connections within Kubernetes, new service mesh technologies (such as Istio) provide a simple and scalable approach to your container encryption tactics.
Detecting And Protecting PHI Data
Even with encryption in place, you need to protect against unauthorized and inadvertent transmissions of unencrypted PHI data. A container DLP strategy can effectively monitor the network within the Kubernetes environment and recognize connections where sensitive data is present. This is accomplished through Layer 7 (application layer) deep packet inspection, which enables the container DLP to identify PHI data within network payloads.
Having this capability makes it possible to enforce security (and meet HIPAA requirements) by implementing network segmentation, and to verify connection encryption within the Kubernetes environment. Leveraging Layer 7 application protocols, network segmentation is effective at preventing unauthorized connections from accessing containers. At the same time, any unencrypted connections can be monitored and then blocked if any PHI data is present. This feature ensures that encryption measures are functional and actively protecting all internal and external traffic with encrypted SSL connections.
To bolster this security, file and database scanning should be present to safeguard data at rest. Using an integrated service mesh solution also can enable network traffic inspections before encryption. Do this to identify the presence of PHI data anywhere it shouldn’t be, as well as any infiltration or threats to the Kubernetes environment.
A very important aspect of maintaining HIPAA-compliant security is being able to guarantee that all protections are active – that there’s no pod or connection where PHI exists and the system has its guard down. Applying a defense-in-depth plan which includes end-to-end vulnerability management, configuration auditing through CIS benchmarks, and container DLP protection in Kubernetes environments provides the peace of mind that comes with full visibility into the presence and security of sensitive data, and the capabilities required to verify and preserve HIPAA compliance.
About The Author
Glen Kosaka is a VP at NeuVector, a cloud-native Kubernetes security platform provider. Prior to NeuVector, he has held executive management positions at Trend Micro, Provilla, Reactivity, Resonate, Quantum and Rignite.