Simplifying Compliance in a DevOps World

Today we introduced a slew of new compliance capabilities, including support for NIST, PCI, and HIPAA. As we’ve talked with customers about the functionality they need, a few key trends have emerged that informed how we designed our StackRox Kubernetes Security Platform to support compliance. We love how one customer reacted to our new features:

StackRox gives us the ability to demonstrate our adherence to HIPAA at all times, helping us avoid audit-induced anxieties.

-- Chris Mutzel, chief architect at Stratus Medicine

Compliance must be done differently in a DevOps world in a few critical ways:

  • Compliance has to fit the DevOps way – DevOps is all about moving fast, leveraging automation, and continuous improvement. Compliance has historically not looked like that at all, so we needed to design our compliance capabilities to suit DevOps. As a result, we’ve focused on making compliance checks an automatic, on-going exercise rather than a big heavy lift you prep for a couple times a year. Our Dashboard delivers an at-a-glance view of your compliance standing at all times, and our Data Drill Down capabilities mean you can learn what needs fixing immediately.

Container and Kubernetes Security: An Evaluation Guide

Download this guide that identifies the most critical security controls required for your containers and Kubernetes orchestrator.

  • DevOps has to be involved in compliance – with traditional infrastructure, the security team could deliver the auditors all the information they needed to demonstrate compliance. After all, security had layered all the controls in place on top of the infrastructure. With the cloud-native stack, the controls are part of the infrastructure, so the DevOps teams are heavily involved in building in the controls that auditors need to document for compliance. We focused on making it easy for DevOps teams to support the compliance offer, with Reports they can generate at a click of a button and Evidence, in the form of exportable CSV files, they can provide auditors.

  • Compliance works differently with the various “layers” of Kubernetes and container environments – different compliance controls apply at the cluster, namespace, and node level. Often, different teams have responsibilities for each of these assets, and being able to zero in on the compliance level by layer helps pinpoint what aspect needs to be fixed to meet compliance needs. Customizable Environment Views help teams understand how they adhere to various standards and specifications in each layer of the Kubernetes environment. We show here first a cluster view and then a node view to highlight these differences.

We invite you to take a deeper look at how StackRox can give you continuous, automatic compliance. Come see us at RSA next week, request a private demo, or sign up for our Kubernetes Security Overview to get a look at the StackRox platform and get your questions answered.