The Cloud Native Security Controls Project simplifies compliance by mapping cloud-native best practices to frameworks like NIST 800-53. Learn how automation reduces toil, enhances security, and empowers teams to tackle compliance challenges with confidence.

Navigating cloud-native security can feel like traversing a maze—complex, ever-changing, and littered with compliance requirements. As a cybersecurity manager or engineer, you’re tasked with securing environments while balancing operational efficiency and adhering to regulatory frameworks. But how do you evaluate your environment’s security against established best practices?

In a recent Cloud Native Computing Foundation (CNCF) lightning talk, Jon Zeolla, CTO of Seiso, and Pratik Lotia, Cloud Security Engineer at Reddit, led a session to tackle this challenge head-on. Drawing on their expertise in cloud-native security, they outlined how you can leverage open-source tools and a standardized approach to assess cloud-native environments, reduce compliance burdens, and elevate your security posture.

The Cloud Native Security Controls Project: An Overview

In the rapidly evolving world of cloud-native technologies, ensuring robust security while maintaining compliance can seem like an uphill battle. The Cloud Native Security Controls Project, spearheaded by the CNCF’s TAG Security group, aims to bridge this gap. As highlighted by Jon Zeolla, CTO of Seiso, and Pratik Lotia, Cloud Security Engineer at Reddit, during their CNCF lightning talk, this initiative offers a structured approach to evaluating cloud-native environments against recognized security best practices.

Read more about the Cloud Native Security Controls Catalog

Why the Project Matters

Security professionals often face the daunting task of demonstrating compliance with frameworks like NIST 800-53, SOC 2, and ISO 27001, while also adhering to cloud-native best practices outlined in CNCF’s white papers. These white papers, such as those on Kubernetes security and software supply chains, provide valuable insights but often lack actionable tools to translate recommendations into real-world implementations.

The Cloud Native Security Controls Project addresses this by creating a comprehensive catalog of security controls. These controls are designed to:

• Simplify Compliance: Map cloud-native security practices to established frameworks like NIST 800-53, enabling smoother audits and assessments.
• Standardize Assessments: Provide a unified approach for evaluating environments, reducing ambiguity for both engineers and auditors.
• Enhance Usability: Offer outputs in accessible formats, such as Excel and Markdown, catering to diverse team needs.

A Collaborative Vision

The project thrives on collaboration, leveraging contributions from security experts, auditors, and developers across the CNCF ecosystem. By aligning with community-driven efforts, such as the Cloud Native Security White Paper, the project ensures relevance and practicality.

Key Components of the Project

1. Security Controls Catalog: A curated list of approximately 200 controls derived from CNCF white papers, categorized by deployment stages (e.g., storage, runtime, deploy time).
2. Framework Mapping: Controls are meticulously mapped to NIST 800-53, providing clear connections between cloud-native practices and compliance requirements.
3. Implementation Guidance: Practical recommendations accompany each control, offering actionable steps, such as using Kubernetes secrets or integrating secrets managers for improved security.

Phase One: Building the Foundation

The first phase of the Cloud Native Security Controls Project focused on creating a solid foundation for assessing cloud-native environments. This phase tackled the complexity of compliance and security by developing a standardized catalog of controls mapped to widely recognized frameworks like NIST 800-53. Here’s how the team approached this critical groundwork.

Mapping Controls to Established Frameworks

One of the most significant challenges in cloud-native security is reconciling best practices with compliance requirements. Security engineers often face questions like, “Is our Kubernetes setup compliant with SOC 2, ISO 27001, or PCI DSS?” Yet, these frameworks often use language unfamiliar to engineers, creating confusion and inefficiency.

The Cloud Native Security Controls Project addresses this by:

• Extracting Key Practices: Distilling recommendations from CNCF’s Cloud Native Security White Paper and Software Supply Chain White Paper into actionable security controls.
• Aligning with NIST 800-53: Each control is mapped to specific identifiers within NIST 800-53 (e.g., CM-2, SI-7), ensuring clear alignment between cloud-native security and compliance frameworks.

By doing this, the project not only helps engineers understand compliance requirements but also provides auditors with a clear view of adherence to standards.

Creating a Usable Controls Catalog

To make these controls accessible and actionable, the team compiled them into formats tailored for both engineers and auditors:

• Excel and Markdown Outputs: Recognizing the varying preferences of teams, controls are presented in formats that are easy to navigate and integrate into workflows.
• Prioritization by Assurance Level and Risk: Each control is categorized by its risk level and assurance requirements, helping teams focus on the most critical areas first.

For example, a control might recommend using Kubernetes secret objects or integrating a secrets manager to avoid storing sensitive information in insecure resources. These actionable insights bridge the gap between theoretical recommendations and practical implementation.

Reducing Complexity for Teams

A standout feature of this phase is its commitment to simplifying complex requirements. By creating a single, unified catalog of controls, the project eliminates the need for teams to juggle multiple, often competing standards. Instead of overwhelming engineers with jargon-heavy compliance documents, it presents clear, actionable steps tailored to the realities of cloud-native environments.

This phase laid the groundwork for a more streamlined and collaborative approach to cloud-native security, paving the way for the ambitious automation goals of Phase Two.

Phase Two: Automating Security and Compliance

While Phase One focused on building a strong foundation, Phase Two of the Cloud Native Security Controls Project sets its sights on transformation. This phase introduces automation into the assessment process, reducing the manual effort—or “toil”—associated with compliance while improving security observability. Led by Jon Zeolla and Pratik Lotia, this ambitious phase aims to shift the industry’s approach to cloud-native security and compliance.

The Vision: Automating Assessments

Manual assessments are time-intensive, prone to human error, and often fail to keep pace with the rapid evolution of cloud-native environments. Phase Two seeks to address these limitations by:

• Automating Control Assessments: Leveraging machine-readable formats to evaluate compliance in real time.
• Streamlining Evidence Collection: Using automated tools to gather and analyze evidence from runtime environments, build pipelines, and other stages of deployment.
• Reducing Compliance Toil: Minimizing the repetitive and bureaucratic work traditionally associated with audits, enabling teams to focus on strengthening security.

The goal is to not only meet compliance requirements but to actively improve an organization’s security posture by increasing visibility into cloud-native environments.

Balancing Toil and Observability

One of the core principles driving Phase Two is reducing toil—the repetitive, manual tasks that drain time and resources. By automating compliance-related activities, the project aims to:

• Set a New Baseline: Lower the burden of compliance tasks to a manageable level, even during audits or high-pressure scenarios.
• Enhance Observability: Provide deeper insights into the security status of environments, enabling proactive risk management.

For example, an automated system could detect whether a deployment follows recommended practices for secrets management, providing both compliance validation and actionable feedback for improving security.

Collaborating Across the Ecosystem

Phase Two emphasizes collaboration, both within the CNCF community and beyond. The project seeks to integrate its efforts with existing tools and frameworks, avoiding redundancy while leveraging established expertise. Key collaborations include:

• CNCF Projects: Working with projects that perform assessments, ensuring alignment and integration with broader cloud-native initiatives.
• External Frameworks and Standards: Partnering with organizations like CSA, CIS, and NIST to enhance mapping and contribute to evolving benchmarks.

This approach prevents fragmentation and encourages the adoption of unified practices, mirroring the community-driven success of Kubernetes.

A Roadmap for Continuous Improvement

Phase Two is an ongoing effort, and its roadmap reflects the dynamic nature of cloud-native security:

• Proof-of-Concept Development: Testing automated assessments in real-world scenarios to refine methodologies.
• Iterative Design and Implementation: Building on existing work while incorporating community feedback.
• Version Management: Accounting for updates to white papers, software tools, and compliance frameworks to ensure continued relevance.

By focusing on automation and collaboration, Phase Two promises to transform how teams approach cloud-native security, making compliance less of a burden and more of an opportunity to strengthen security.

Practical Applications and Challenges

With the groundwork of Phase One and the ambitious goals of Phase Two, the Cloud Native Security Controls Project provides a powerful framework for assessing and improving cloud-native security. However, implementing these concepts in real-world environments comes with its own set of practical applications and challenges.

Integrating Assessments Into Your Workflow

Adopting the tools and methodologies from the Cloud Native Security Controls Project requires embedding them into existing workflows. Here’s how you can integrate these assessments effectively:

• Leverage Machine-Readable Outputs: Use automated tools to parse security assessments, reducing the need for manual analysis.
• Tailor Assessments to Your Needs: Focus on controls relevant to your specific environment, such as those for storage, runtime, or deployment processes.
• Collaborate Across Teams: Align security and compliance teams by using standardized controls, ensuring a shared understanding of goals and outcomes.

For example, if your compliance team requires evidence for ISO 27001 adherence, the catalog’s mapping to NIST 800-53 provides a clear starting point, while automated assessments generate the necessary reports with minimal effort.

Handling Multiple Configurations

Cloud-native environments are diverse, and there’s rarely a single way to achieve compliance. The project acknowledges this complexity by offering flexibility in how controls are implemented. Key strategies include:

• Providing Options: Rather than prescribing a single solution, the catalog outlines multiple configurations that satisfy higher-level compliance requirements.
• Encouraging Customization: Teams can adapt recommendations to their specific tools and architectures, such as choosing between Kubernetes secrets or an external secrets manager for sensitive data.

This flexibility ensures that the controls are applicable across various environments while still maintaining alignment with industry standards.

Managing Continuous Updates

One of the most significant challenges in cloud-native security is keeping pace with constant updates to software, frameworks, and white papers. The Cloud Native Security Controls Project addresses this by:

• Version Pinning: Ensuring all assessments are tied to specific versions of controls, frameworks, and software to maintain consistency.
• Iterative Mapping: Continuously refining mappings to incorporate updates from CNCF white papers, compliance frameworks, and community feedback.
• Collaborative Maintenance: Engaging with the broader CNCF community to share the workload of updating and validating mappings.

For example, as CNCF releases new versions of the Cloud Native Security White Paper, the project ensures that its controls and mappings are updated to reflect the latest recommendations.

Navigating Common Challenges

Despite its benefits, implementing the Cloud Native Security Controls Project can pose challenges, such as:

• Interpreting Broad Guidance: White papers often provide high-level recommendations, leaving room for interpretation. The project addresses this by offering specific examples and implementation guidance.
• Aligning with Diverse Frameworks: Different compliance frameworks have unique requirements and mapping methodologies. The project uses composable mappings to bridge these gaps while acknowledging that no single solution fits all needs.

Get Involved With the Cloud Native Security Controls Project

The Cloud Native Security Controls Project is more than just a framework; it’s a collaborative effort to shape the future of cloud-native security. By participating in this initiative, you have the opportunity to contribute to a community-driven solution that simplifies compliance, enhances security, and empowers professionals across the industry.

The time to act is now. Join the conversation, share your insights, and be part of the movement to transform how we approach security and compliance in cloud-native environments.

How You Can Contribute

Whether you’re a cybersecurity manager, engineer, or auditor, there are several ways to get involved with the project:

• Join the CNCF TAG Security Working Group: Participate in discussions, share your expertise, and contribute to the ongoing development of the controls catalog and automated tools.
• Review and Provide Feedback: Examine the existing controls and mappings, suggesting improvements or identifying gaps based on your real-world experience.
• Collaborate on Automation: Help refine the project’s approach to automated assessments, ensuring the tools meet the needs of diverse environments and compliance requirements.

For example, if your organization has expertise in mapping to specific frameworks like ISO 27001 or SOC 2, your input could strengthen the project’s cross-mapping capabilities.

The Value of Collaboration

The project thrives on collaboration, drawing from a wide range of perspectives within the CNCF and beyond. By contributing, you:

• Shape Industry Standards: Influence how cloud-native security and compliance are approached on a global scale.
• Learn From Peers: Engage with professionals tackling similar challenges, gaining insights and strategies you can apply in your own organization.
• Build a Stronger Community: Help create unified solutions that reduce fragmentation and complexity across the industry.

Taking the First Step

Getting started is easy. The CNCF TAG Security group hosts regular meetings and maintains open channels for collaboration:

• Join the Slack Channel: Connect with the team in the #tag-security-controls channel on CNCF’s Slack workspace to ask questions and share ideas.
• Explore the GitHub Repository: Visit the project’s GitHub issue tracker to review ongoing work, find areas where you can contribute, and stay updated on developments.
• Attend CNCF Events: Participate in talks and workshops to learn more about the project and its future direction.

By taking part, you not only enhance your own expertise but also help advance the collective mission of simplifying cloud-native security.

A Shared Vision for the Future

Solving the challenges of cloud-native security requires a united effort. By aligning individual contributions with the broader goals of the Cloud Native Security Controls Project, we can collectively reduce compliance toil, improve observability, and create a safer cloud-native ecosystem.