Skip to content

User Access Reports for Kubernetes

Access reviews are required and mandated by regulations such as SOX, HIPAA, GLBA, PCI, NYDFS, and SOC-2. Access reviews are critical to help organizations maintain a strong risk management posture and uphold compliance. These reviews are typically conducted on a periodic basis (e.g. monthly, quarterly or annually) depending on the organization's policies and tolerance to risk.

Providing auditors with periodic access to user access reports for Kubernetes is a critical task for any typical platform team. This becomes onerous and burdensome especially for organizations that operate 10s or 100s of Kubernetes clusters that are used by 100s of app developers and SREs. Doing this via manual processes is impractical.

General Process

In this blog, we will look at why user access reports are critical for organizations and how Rafay's customers implement this with very high levels of automation.


Background

The goal of an access review for Kubernetes clusters is to check what resources users have access to and ensure that they only have access to the resources they need to do their job. This process ensures that users are provided with the least privileges they require and nothing more.

Most security frameworks used by organizations emphasize the importance of user access reviews and include access management controls within their requirements or guidelines. These frameworks include: SOC-1, SOC-2, ISO 27001, GDPR, HIPAA, PCI DSS, SOX, NIST 800-53, NIST CSF, FTC Safeguards Rule, NYDFS NYCRR 500, Cyber Essentials, CMMC, CIS, CJIS etc. ‍ User access controls are required for some of these frameworks, while others provide broader guidance on minimizing internal user access to reduce the impact of unauthorized access. If your organization is legally required to adhere to any of these frameworks, implementing user access controls is mandatory.


Where are User Access Reports Used?

A user access report for Kubernetes is a mission critical capability. Here are examples where security teams use the data from the access reports:

Security and Risk Management

  • Identify Unauthorized Access: A user access report helps identify any unauthorized or unusual access patterns. This is crucial for detecting potential security breaches, insider threats, or compromised accounts.
  • Monitor Access to Sensitive Resources: For systems or data that are particularly sensitive, it’s important to regularly review who has access and ensure that only authorized users can reach those resources. The report provides visibility into these access levels, helping to prevent unauthorized access.

Compliance and Regulatory Requirements

  • Audit and Accountability: Many regulations, such as GDPR, HIPAA, SOX, and PCI-DSS, require organizations to keep detailed records of who has access to sensitive information or systems. A user access report provides the necessary documentation to meet these audit requirements.
  • Enforcing Least Privilege: Compliance standards often require that users have the minimum necessary access to perform their roles. Regular access reviews, facilitated by user access reports, ensure that privileges are appropriately assigned and maintained in line with these standards.

Prevent Privilege Creep

  • Avoid Accumulation of Unnecessary Permissions: Over time, users may accumulate more permissions than they need, a phenomenon known as "privilege creep." A user access report helps identify these cases, ensuring that permissions are regularly reviewed and adjusted to prevent excessive access.
  • Role Reassessment: By reviewing user access reports, organizations can reassess and realign roles, ensuring that users’ permissions reflect their current job responsibilities rather than outdated or excessive permissions.

Incident Response and Forensics

  • Post-Incident Analysis: In the event of a security incident, a user access report is invaluable for understanding who had access to the compromised systems or data. This information is crucial for forensic analysis and for determining the scope of the breach.
  • Quick Identification of Vulnerabilities: Regular access reporting can help quickly identify any vulnerabilities that could be exploited, allowing for rapid response to potential threats.

User Access Lifecycle Management

  • Onboarding and Offboarding: User access reports assist in managing the user access lifecycle, ensuring that new users are granted appropriate access during onboarding and that access is promptly revoked during offboarding or when roles change.
  • Temporary Access Management: For temporary access grants, such as contractors or project-based permissions, the report helps ensure that these access rights are revoked when they are no longer needed.

Supporting Governance Policies

  • Enforcing Governance Controls: A user access report is a key component in enforcing governance policies, ensuring that access controls are consistent with the organization’s security policies and objectives.
  • Transparency and Accountability: The report provides transparency into who has access to what, supporting accountability and enabling governance teams to maintain oversight over user permissions.

User Access Reports in Rafay

Customers use Rafay to centralize user access across their fleet of clusters that are cleanly organized into projects in their Org.

They also use Rafay to authenticate and authorize access using Role based Access (RBAC). Most customers integrate their Orgs with their corporate Identity providers (IdP) such as Okta etc to provide a Single Sign On experience for their users.

In order to stay compliant with their security policies, they also integrate Rafay with their SIEM so that audit logs are streamed to it in real-time.

User access reports can be generated using the two approaches described below. Platform admins can also assign auditors a highly restrictive role that allows them to only generate user access reports.

On-Demand Reports

These can be generated adhoc using the web console or programmatically using the Rafay RCTL CLI or the REST API.

On Demand/Adhoc Reports

Scheduled Reports

Authorized users can also schedule these reports to be automatically generated (via the web console or programmatically using the RCTL CLI or REST API).

Scheduled Reports

By far, the common pattern used by customers appears to be optimized for automation i.e. an external system used by auditors (e.g. PowerBI etc) embeds Rafay's RCTL CLI or REST API to programmatically retrieve the user access report data. This data is then processed and presented to to the auditor as required.


Summary

Learn more about how you can provide user access reports to auditors for your fleet of Kubernetes clusters using Rafay. Please contact us if you would like to schedule a demo. You can also sign up for a free Rafay Org.

Thanks to readers who spend time reading our product blogs. Please contact us if you would like us to write about other topics.