Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Technology changes every year, and one of the biggest shifts over the last decade has been a deep investment into the use of containers. Containers offer a lot of potential benefits, particularly for information security, but they also present serious risks of their own. Those risks can be mitigated, but you need to understand that the problem exists before you can address it.

Depending on the field in which you work, you’ve almost definitely encountered an ISO standard. While these might not seem like they have much to do with one another, the chain that binds them all together is ISO itself. ISO, the International Organization for Standardization, and the 800+ committees that serve as expert boards in different fields, develop international standards to which businesses and organizations can be held.

PCI-DSS is one of the most widely used security frameworks around the world. Unlike frameworks like FedRAMP or CMMC, PCI-DSS is a global security standard, not a standard issued by the US Government. It’s the Payment Card Industry Data Security Standard, and it’s required for any business or entity that handles cardholder or authentication data. Merchants, payment providers, gateways, banks; they all need it.

One of the core pillars of the security perspective adopted by the Department of Defense is the so-called Zero Trust strategy. This strategy is the adaptation to evolving threats in the world, many of which prey on the presumption of trust from accounts and individuals that can be compromised. To protect controlled unclassified information and other sensitive data, the presumption of zero trust is necessary to eliminate many common threats.

The power of FedRAMP comes from standardization. By setting a firm baseline and forcing cloud service providers to adhere to it if they want to work with the government, a certain mandatory minimum level of security is enforced. A key part of FedRAMP as a security standard is that it’s not a fire-and-forget system. Instead, it involves constant, active vigilance through a process called continuous monitoring.

Kubernetes is an extremely powerful tool for scaling, automating, and managing applications and systems. There’s a reason it has become industry standard, with over 80% of container-using enterprises running K8s, encompassing over 60% of enterprises in general. It makes sense that, sooner or later, Kubernetes users will need to contend with the FedRAMP framework and the security requirements necessary to maintain operations. Fortunately, this is generally a good thing.

Here on the Ignyte blog, we talk a lot about general information security frameworks like ISO 27001 and government frameworks like CMMC and FedRAMP. But that doesn’t mean that’s all we understand. One of the most broadly used security standards in the world is PCI DSS. The Payment Card Industry Data Security Standard is the standard that must be upheld by any and all entities that handle, process, or store cardholder data and authentication data for payments.

A key part of any security framework, from FedRAMP to ISO 27001, is enforcement. Putting out a set of standards is only as effective as the ability to penalize failure to comply. Within the ISO ecosystem, compliance is validated through the use of external audits. The auditors will evaluate your organization based on both ISO standards and other external factors, like regulatory requirements within your industry.

Now that CMMC is a mandatory part of participating in the defense supply chain, a lot of businesses are starting to grapple with the requirements and what they mean for operations. One of the biggest roadblocks is the use of an MSP, or Managed Services Provider. MSPs are the backbone of many businesses that don’t have the resources to spin up entire architectures on their own. It’s a huge benefit and allows companies to exist when otherwise the investment to get started would be way too high.

What happens when there’s an unexpected interruption to your business? Certainly, it depends on the kind of interruption. The way your business handles something like a power outage can be quite different from how you handle a wildfire, which will be different from how you handle a cyberattack. The core principles are the same. You want to have ways to defend your business, to restore services, and to ensure continuity as much as possible.