As we recently announced, Red Hat Advanced Cluster Security (RHACS) is the new product offering, powered by StackRox technology, that continues to set the standard for Kubernetes-native security trusted by enterprises everywhere. The RHACS team also recently presented an updated product roadmap that reflects a continued focus on achieving our core objectives:
- Help security teams focus on what matters most
- Reduce the operational overhead of a cloud-native security program
- Deliver business value through development speed and a DevSecOps approach
Over the past quarter, we’ve worked hard to incorporate several major changes and capabilities into our product, including;
- Red Hat certified vulnerability scanner designation
- OpenShift compliance operator integration
- RHACS dashboard update
- Launching StackRox.io and our commitment to open sourcing StackRox
Red Hat certified vulnerability scanner designation
Many veterans in the security industry have undoubtedly run into a scenario where they have been given a spreadsheet with the results of several different security scanning tools and asked themselves: “why are all of these different?” Even if you’re not a cybersecurity veteran, you may have been handed a list of security issues and asked to address them. It's not uncommon for some of these issues to be confusing in their severity or applicability. False positives in reports have become a common occurrence, and at best can result in frustration for practitioners, and at worst, lead to real issues being ignored.
This is because security is based on context, but many industry-standard vulnerability data sources are different and generalized. Red Hat curates its data sources to ensure our customers’ vulnerability context is as relevant as possible when inspecting packages managed by Red Hat. Industry standards like CVSS 3.1 assume users will apply context when investigating issues to determine an appropriate level of risk. While this would be a best practice in an ideal world, the reality is that this is difficult to accomplish.
We have addressed this problem and are pleased to share that Red Hat Advanced Cluster Security has achieved the Red Hat certified vulnerability scanner designation. The certified Red Hat Vulnerability Scanner designation represents transparency and accuracy on the issues that matter most for containers using Red Hat packages.
Red Hat certified vulnerability scanners apply the appropriate context for Red Hat-maintained software packages. When this context is applied over a more generalized data source, this can change the risk severity of an issue, help highlight compensating controls, and even establish whether an issue is relevant. By highlighting relevancy, your teams avoid wasting time triaging an issue that does not apply to a Red Hat package. These controls will help you focus on the real threats to your clusters and give time back to your security team. If you are an organization with risk tolerance policies, these differences are critical to your decision-making processes.
OpenShift compliance operator integration
For those new to RHACS, our Kubernetes-native security solution comes pre-built with compliance checks for CIS benchmarks for Kubernetes and Docker and other industry standards such as PCI, HIPAA, and NIST SP 800-90 and NIST SP 800-53. Compliance reports can be generated with a single click and handed to auditors as evidence. This compliance functionality saves organizations significant time and costs.
For compliance teams mapping the CIS benchmark for Kubernetes to OpenShift or reviewing the existing OpenShift benchmarks, you may notice that the vast majority of these controls are applied by default and changes to revert the security defaults are not supported. The design is intentional and is part of OpenShift, providing a hardened, secure-by-default distribution of enterprise Kubernetes.
The OpenShift compliance operator helps to codify the assessment and remediation of security standards to help reduce the cost of compliance operations and audits. RHACS reports on these results to provide teams with a command center for compliance operations for their OpenShift and Kubernetes clusters so that auditors can easily consume and measure their progress against these codified standards.
RHACS augments the strong OpenShift compliance controls available via the OpenShift Compliance Operator. RHACS reports on the compliance results to give auditors actionable insight into the state of security across your OpenShift cluster. This can be done through the compliance operator dashboard, giving comprehensive OpenShift compliance controls from a single location.
RHACS receives a dashboard update
We are happy to announce the new dashboard design, built on reusable UI standards. RHACS is focused on the value behind the UI and more consistent experience with existing Red Hat products such as Red Hat Advanced Cluster Management for Kubernetes and Red Hat Quay.
RHACS moves downstream of StackRox
StackRox has always supported the open source community. Last year, we launched the open source project KubeLinter, a static analysis tool for examining your Kubernetes YAML configuration. It was our first open source project, and we are ecstatic about announcing our second one.
We are committed to open sourcing the StackRox software as a separate upstream project powering Red Hat Advanced Cluster Security. To aid in this process, we have launched the StackRox community website as a place for you to find everything StackRox related. The community website is the place to go for StackRox open source announcements, blogs, office hours, and more. As the project progresses towards our open source goal, we would love for you to get involved in the upstream community.
Community channels and customer feedback fuel our open culture, community and focus on exceeding customer expectations. If you aren’t yet familiar with Red Hat Advanced Cluster Security and would like to learn more, visit our product page and existing StackRox documentation. As we continue to work on the process of open-sourcing StackRox, you can reach out to us on slack in the CNCF #stackrox channel, or feel free to contact us directly.