NeuVector provides auditing and container compliance features to assist with security compliance. All running containers and host OS’s are automatically scanned for vulnerabilities and run the Docker Bench security tests. Network controls and firewall capabilities help to meet container compliance requirements for segmentation and isolation of critical systems.
The Docker Bench for Security checks for dozens of common best-practices around deploying Docker containers in production. It is open source and based on the CIS Docker Benchmark. NeuVector automatically runs this audit on all Docker hosts and containers and produces a list of test results.
NeuVector also tests for compliance on the 100+ recommendations in the Kubernetes CIS Benchmark for security. These test tools have been released as open source by NeuVector to help ensure secure Kubernetes deployments.
All running containers and host OS’s are automatically scanned for vulnerabilities. The scanning tasks are distributed across Enforcers for a real-time, highly scalable image vulnerability analysis.
NeuVector provides a distributed multi-vector container firewall which provides segmentation and isolation based on L3/4 and Layer 7 application protocols. The policy provides a zero-trust, whitelist based rule list for allowing trusted connections between application containers, regardless of the underlying network, host, or data center. Unauthorized connections between containers or from/to external networks are logged and can be blocked if desired, without impacting valid connections to a container.
Behavioral learning and real-time application protocol inspection enables NeuVector to be highly scalable without the common problems associated with firewall rule and iptable maintenance.
The NeuVector container security solution provides a number of features which can help organizations with their PCI compliance efforts. Below are a sample of specific PCI requirements. This is not meant to be an complete list of container compliance requirements and controls, but highlights the areas of network controls, host and Docker configuration, vulnerability scanning and application isolation.