Security Posture Management

Latest Dynatrace Early Adopter

Dynatrace Security Posture Management (SPM) enables you to assess, manage, and take action on misconfigurations and violations against security hardening guidelines and regulatory compliance standards.

The following Security Posture Management flavors are available.

  • Dynatrace Kubernetes Security Posture Management (KSPM): Enables you to detect, analyze, and monitor misconfigurations, security hardening guidelines, and potential compliance violations across your Kubernetes deployment.

  • Runecast Cloud Security Posture Management (CSPM): Provides in-depth insights into the security posture of your cloud environments (AWS, Azure, and GCP).

  • Runecast VMware Security Posture Management (VSPM): Provides in-depth insights into the security posture of your VMware environments (vCenter and NSX-T).

Supported compliance standards and technologies

A compliance standard groups together security, configuration, and process requirements often following already established ICT Security guidelines and best practices. Adhering to these can help organizations maintain regulatory required levels of security hardening and minimize the risk of exposure across the organization.

Dynatrace Security Posture Management supports the following standards and technologies.

Compliance standards
Kubernetes1
AWS
Azure
GCP
vSphere2
NSX-T3
1

Support is limited to compatibility with upstream Kubernetes, available for x86-64 CPU architectures only, and minimum Kubernetes version 1.26.

2

Supported versions are VMware ESXi 8.0 v1.1.0, VMware ESXi 7.0 v1.4.0, VMware ESXi 6.7 v1.2.0, and VMware ESXi 6.5 v1.0.0.

3

Minimum supported version is NSX-T 2.4.

BSI C5

C5, also known as the Cloud Computing Compliance Criteria Catalogue, developed by the German Federal Office for Information Security (BSI), outlines the basic requirements for secure cloud computing. It's primarily designed to provide a high level of assurance in the security of cloud services. While based on international standards such as ISO 27001, C5 goes further by incorporating additional controls tailored explicitly to cloud environments.

BSI C5 version support

Supported version is C5:2020.

BSI IT-Grundschutz

The German IT Baseline Protection (IT- Grundschutz) standard was established by the German Federal Office for Information Security (BSI) as a sound and sustainable information security management system (ISMS). IT-Grundschutz covers technical, organizational, infrastructural, and personnel aspects equally. With its broad foundation, IT-Grundschutz offers a systematic information security approach compatible with ISO/IEC 27001.

BSI IT-Grundschutz version support

Supported editions are 2022 and 2023.

CIS

The Center for Internet Security (CIS) publishes the CIS Critical Security Controls (CSC) to help organizations achieve greater overall cybersecurity defense. These controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. A principal benefit of the controls is that they prioritize and focus a smaller number of actions with high pay-off results.

CIS version support

Kubernetes1
AWS
Azure
GCP
VMware ESXi 6.5
VMware ESXi 6.7
VMware ESXi 7.0
VMware ESXi 8.0
v1.10
v4.0.1
v2.0.0
v1.3.0
v1.0.0
v1.2.0
v1.4.0
v1.1.0
1

The minimum Kubernetes version is 1.28.

Cyber Essentials

Cyber Essentials is a United Kingdom security standard aiming to demonstrate that an organization has implemented minimum cybersecurity protections through annual assessments. It comprises fundamental technical controls to help organizations safeguard against common online security threats. The Cyber Essentials scheme is a government-backed framework supported by the National Cyber Security Centre (NCSC).

Cyber Essentials version support

Supported version for Cyber Essentials: Requirements for IT infrastructure is v3.1.

DISA STIG

Security Technical Implementation Guides (STIGs) are based on the standards of the Department of Defense (DoD). DISA STIG guidelines are often used as a baseline in other sectors or segments to ensure compliance with the standards and access to the DoD networks. All organizations must meet the DISA STIG security standards before accessing and operating on DoD networks.

DISA STIG version support

Kubernetes
vSphere 8.0
vSphere 7.0
vSphere 6.7 VM
vSphere 6.7 vCenter
vSphere 6.7 ESXi
NSX-T
Ver 2, Rel 2
Y25M01
Y25M01
Ver 1, Rel 2
Ver 1, Rel 3
Ver 1, Rel 2
Y22M09

DORA

Digital Operational Resilience Act (DORA) is a major piece of European Union legislation (Regulation (EU) 2022/2554). DORA aims to enhance the resilience of digital operations and protect the integrity of the financial market infrastructure in the European Union. Compliance with DORA is a pathway to creating a more secure and reliable digital environment within financial institutions. The act impacts day-to-day operations, security protocols, and compliance measures. DORA takes effect on January 17, 2025.

Essential Eight

The Essential Eight standard is built on eight prioritized mitigation strategies designed to assist cybersecurity professionals in mitigating incidents caused by various cyber threats. Developed by the Australian Cyber Security Centre (ACSC), it's mandatory for all Australian non-corporate (federal) Commonwealth entities and highly recommended for other business organizations.

GDPR

General Data Protection Regulation (GDPR) is a European privacy law designed to harmonize data protection regulations across the European Union (EU) by establishing a single, binding framework for all EU member states. GDPR.eu offers a comprehensive library of resources to assist organizations in achieving GDPR compliance.

HIPAA

The 1996 Health Insurance Portability and Accountability Act (HIPAA) mandated that the Secretary of the U.S. Department of Health and Human Services (HHS) establish regulations aimed at safeguarding the privacy and security of specific health information. In response, HHS introduced the HIPAA Privacy Rule and the HIPAA Security Rule, which are now widely recognized standards.

HIPAA version support

Supported version is 5/2005: rev. 3/2007.

ISO 27001

ISO 27001 is one of the most globally recognized standards, offering a comprehensive Information Security Management Systems (ISMS) framework. It helps organizations align their security practices with international best practices and business, legal, and regulatory requirements. The standard encompasses all aspects of information risk management, from risk assessment to risk treatment, making it an essential tool in today's ever-changing cybersecurity landscape.

ISO 27001 version support

Supported version is ISO 27001/2022.

KVKK

The Personal Data Protection Law (Turkish: Kişisel Verilerin Korunması Kanunu, KVKK) is a Turkish regulation that governs personal data protection and defines the legal obligations of entities and individuals handling personal data. This law ensures compliance with technical requirements for Data Protection, Data Access, and Audit readiness, modeled after the European Union’s General Data Protection Regulation (GDPR).

NIST

The National Institute of Standards and Technology (NIST) publishes the NIST SP 800-53, which offers security and privacy controls for information systems and organizations. Per the Office of Management and Budget (OMB), the NIST standards and policies are mandatory for all non-national security systems run by federal agencies in the USA.

NIST version support

Kubernetes
AWS
Azure
vSphere
NIST SP 800-53 Rev. 5.1
NIST SP 800-53 Rev. 5
NIST SP 800-53 Rev. 5
NIST SP 800-53 Rev. 5.1

PCI DSS

Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements to ensure that companies that process, store, or transmit credit card information operate in a secure environment. Developed to address the increasing risk of data breaches in payment card systems, PCI DSS is crucial for any business accepting, handling, or storing payment card information.

PCI DSS version support

Supported version is PCI DSS v4.0.

TISAX

The Trusted Information Security Assessment Exchange (TISAX) is a prominent information security standard in the automotive industry, developed by the German Association of the Automotive Industry (VDA). TISAX requirements are outlined in the Information Security Assessment (ISA) catalog, which is managed by the ENX Association. These requirements are based on the international ISO/IEC 27001 standard for information security management, with additional provisions explicitly tailored to the automotive sector.

TISAX version support

Supported version is VDA ISA 5.1.

VMware SCG

VMware Security Configuration Guides provides guidance on how to deploy and operate VMware products in a secure manner based on the VMware Security Configuration Guide.

VMware SCG version support

Supported version is vCenter Server 8.0 Update 3.

  • Automated assessments against supported compliance standards, allowing you to manage and report on the most critical findings.
  • Continuous analysis and evidence creation for internal and external auditing purposes.
  • Actionable findings that allow you to
    • Prioritize compliance efforts
    • Create audit evidence and reporting for auditors and internal security and compliance teams

Kubernetes Security Posture Management

  • Provides in-depth insights into the security posture of your Kubernetes environments.

  • Monitors against regulatory security and compliance standards.

  • Analyzes the Kubernetes environment from the cluster to the nodes and pods against regulatory requirements.

  • Provides actionable findings that allow you to

    • Prioritize compliance efforts
    • Create audit evidence and reporting for auditors and internal security and compliance teams

Kubernetes Security Posture Management is licensed based on the consumption of host-hour and requires the Dynatrace Platform Subscription.

To get started, see Kubernetes Security Posture Management.

Dynatrace ingests configuration data from your clusters and workloads into Grail, where it's formatted into compliance events according to the Semantic Dictionary conventions.

The mechanism is described below.

Diagram showing how Security Posture Management works on Kubernetes

Once you enable Dynatrace Kubernetes Node Configuration Collector in Dynatrace Operator, it's deployed as a DaemonSet on your monitored cluster's nodes to collect cluster and workload configuration data.

  • Node Configuration Collector collects data from the cluster nodes.
    • Frequency: every minute
  • ActiveGate collects data from the Kubernetes API.
    • Frequency: every hour

ActiveGate processes all data received from the nodes and Kubernetes API and sends it to the Dynatrace Cluster.

The cluster and workload configuration data is mapped as compliance events according to the Semantic Dictionary and stored in the default_security_events bucket (for details, see Built-in Grail buckets).

Once data is ingested into Grail, you can analyze your clusters' security posture and evaluate your compliance with industry standards. For details, see What's next.

Once you set up Kubernetes Security Posture Management, you can

Try the Security Posture Management xSPM app and share your feedback to help us improve.