Welcome to the Red Hat Advanced Cluster Security for Kubernetes Roadmap Update, or as we like to call it, What's Next for ACS. In this video, we'll review the full product roadmap update for ACS that includes vulnerability management, policy and violation management, hardening and platform support, ACS cloud service, and much, much more. Everything is timestamped in the description below, so you can click on your desired section.
Let's get into it. But before we do, there's some important context I want to go over with you about how we break down features in this roadmap. The roadmap will be divided into three parts.
The first part is the near term roadmap, with the second part being the mid term roadmap. Then finally, there are the long term roadmap points. And of course, an important disclaimer is that the content presented in this roadmap is for informational purposes only, and all timelines, features, and priorities are subject to change without notice.
Now with every new ACS release comes a new support cadence. ACS full support begins at the general availability of the minor version and ends after a six month period in which case maintenance support kicks in. Now we expect ACS customers to try and keep their environments up to the most current supported micro version and I'll leave some notes in the description below if you want to take a look at the full support cadence and the OpenShift operator life cycles.
I also want to point out the plan for releases in 2025, with the next ACS release having a short turnaround, with ACS 4. 7 targeted for March. Let's start with vulnerability management and the near term goals.
Now when it comes to SBOM generation, or Software Bill of Materials generation, it's about breaking down your software into key parts, components, dependencies, and libraries, so you can have a full view of what is in your container images. Now onto EPSS an EPSS score. It's a game changer for prioritizing CVEs as it leans on the EPSS framework to assign probability scores based on the likelihood that a vulnerability will be exploited.
This helps you focus on what's likely to be exploited instead of chasing every vulnerability in in your environment. Finally, there's a ServiceNow integration for vulnerability response so that organizations can easily build custom workflows to assign remediation tasks to appropriate owners. With the end goal of automating that process by a two way connection onto the midterm goals, we want to identify base image layers and help teams know who is responsible for fixing images.
Next vulnerability reporting for virtual machines on OpenShift. Now, this adds security for virtual machine workloads as ACS scans vulnerabilities for both virtual machines and containers. Enriched vulnerability data with CSAM maintained known exploited vulnerabilities catalog or KEV.
This prioritizes fixing vulnerabilities that are already being actively exploited. ACS will use the CSAP Kev Catalog for real time updates on active threats. Lastly, AI based CVE prioritization.
AC will generate an exploit score generated with an exploitable AI threat prediction model, helping customers with remediation prioritization based on the exploit score. Lastly, the long term goal for vulnerability management is to move that prioritization to GA, supporting the topic from our midterm goal. We then want to import SBOMs and export vulnerability reports, making tracking vulnerabilities from different sources easier.
Users can import SBOMs and create more detailed reports. Third, image mode for Red Hat Enterprise Linux vulnerability scanning. This integrates ACS into CICD pipelines to improve security checks.
It also helps identify vulnerabilities in rel based images and app layers separately. Lastly, ZStream based remediation guidance for OpenShift. This helps teams fix risk in OpenShift images, as ACS will keep up with Red Hat's weekly security patches and forward remediation advice.
Next, policy and violation management, where in the near term the focus is on policy as code, specifically its general availability. Policy as Code lets you manage policies as custom resources in OpenShift, automating workloads with tools like OpenShift GitOps, Argo CD, and with upcoming updates that will make it easier to specify notifiers and clusters by name while stabilizing the API. Next, we have a User Workload Focus.
Now this groups violations into user workloads and platform workloads to reduce noise and remove unnecessary policy violations from platform related components. On to the midterm goals. Enhanced violation management integrates with tools like ServiceNow and Splunk for better tracking and resolving of policy violations.
The policy as code is set to expand policy management to include system level policies and API workflows for more flexibility. Integration with other policy engines. This will support third party policy systems so customers can integrate external engines with ACS.
Violations reporting. This improves reporting to make compliance tracking easier and more visible. Lastly, the long term goals are policy model enhancements.
This separates policy rules from behaviors like notifications, enforcement, and scope, making policies more scalable and flexible. Lastly, AI assistance for policies. This uses artificial intelligence to spot policy gaps and suggest priorities for improvement.
First up in risk and configuration management, the near term goals, an action based risk dashboard. This new dashboard is designed for developers and security teams. So what's in it for developers?
They'll be able to spot and fix high risk vulnerabilities in their applications quickly. For security folks, it offers a clear view of critical risks across the organization so they can take action where it matters most. We're also adding custom rules to fit your business needs and making the risk views more intuitive and actionable.
Moving on to midterm goals, RBAC Insights helps simplify the complexity of managing roles in Kubernetes clusters across an organization. With a clear graphical view of role bindings, administrators can quickly spot inconsistencies, identify users with access privileges, and update access controls as needed. This makes maintaining security and ensuring access for the right users is easier.
Now looking further ahead, we're excited about AI assisted risk recommendations. Imagine having me do all the heavy lifting by highlighting the most critical vulnerabilities and giving you straightforward recommendations on how to fix them. This will make it much easier to focus on the biggest risks in your clusters and take meaningful action.
Finally, we're expanding policy based configuration management to cover more Kubernetes resources like RBAC policies with the goal of giving you a centralized, secure way to manage all your configurations across your Kubernetes clusters onto compliance and the near term goals. First, we're adding scheduling and visualization for tailored compliance profiles in ACS. This helps you focus on specific compliance controls across multiple benchmarks and makes tracking compliance across OpenShift clusters easier.
Next, compliance is policy. ACS policies will help monitor compliance for both infrastructure and applications. This expands compliance checks to include applications starting with the CIS benchmarks and Docker workloads.
On to midterm goals. Compliance trending. We're introducing historical data for compliance scans.
This allows organizations to track compliance trends over time, spot gaps, and take action for infrastructure and workloads. And in long term goals, we're aiming for easy creation of tailored profiles. Simplifying how tailored compliance profiles are created for OpenShift clusters makes managing compliance standards much more flexible and user friendly.
And lastly, compliance for OCP virtualization. We want to expand compliance management to include the hypervisor layer and OpenShift virtualization clusters. This targets hypervisor compliance.
It doesn't include guest OS, but it still extends the compliance visibility to virtualized environments. Now in runtime and networking in the near term goals, we have external traffic visibility and threat detection. We're adding detection and blocking capabilities for communications with malicious IPs directly in the network graph.
The GA release will include custom policies that alert users when known malicious IPs are contacted, helping users take proactive security measures. Automatic alerts for suspicious activity. Introducing automatic alerts for unusual process and network activity.
These alerts are triggered automatically. No need for manual baseline locking to avoid overhead. This feature is off by default, giving customers control over when to enable it.
The midterm goal is we are focused on improved isolation insights. So enhancing the network graph to better summarize deployment isolation. This covers ANP and BANP and user defined networks.
This helps support OpenShift's app isolation features and simplifies network management with clear insights and better visualization. For long term goals, threat detection on OCP virtualization workloads. This expands ACS to visualize traffic and detect threats for workloads running on OpenShift virtualization and extends threat detection to virtualized environments, boosting security for OCP virtual users.
On to UX and Red Hat portfolio integration. In the short term, we want to focus on our reporting and views workflows to create a seamless experience for curating security findings and enabling ad hoc reporting directly from views. This allows users to quickly export for analysis with minimal effort and save configurations as customized views for applicable workloads.
We're also embarking on delivering more tailored segmentation of the security layers with a jobs to be done approach. We are making incremental improvements towards restructuring our access patterns and optimizing security workflows to provide the most relevant insights. When considering security teams, platform engineers, developers, and auditors, we aim to align with the key remediation areas, ensuring workflows are specialized, while remaining cohesive to improve user satisfaction across all roles.
Midterm goals include investing further into areas such as Red Hat Developer Hub to assist developers with understanding their application security posture, and separately, making improvements to areas around GRC to consolidate policy and compliance workflows more effectively. everybody. And for our long term goals, we want to build on the broader OpenShift story by enhancing our integrations and presence directly into the OCP console for a more seamlessly integrated security and management solution.
Beyond that, we'll be exploring lightspeed capabilities and leveraging AI to help operationalize ACS with more enriched discovery and guidance tools, taking a risk driven perspective to signal the attack paths and exposures that are most critical in your environment. On to hardening and platform support. Now in the near term, FIPS 140 support.
ACS is now designed to meet FIPS 140 regulatory requirements. This means when running in FIPS mode on OpenShift, ACS will use RHEL cryptographic libraries to stay compliant. There is a note that FIPS mode requires ACS to be installed on OpenShift clusters configured specifically for FIPS as outlined in the documentation.
Automatic rotation of internal TLS certificates. We're automating the renewal of internal TLS certificates used for secure communication between ACS components. This removes the need for manual renewals, which is a game changer for customers managing many secured clusters.
It also addresses compliance and operational pain points raised from customer feedback. And it bundle separation, separating cluster bootstrap credentials from internal TLS certificates. This will improve security by ensuring bootstrap credentials are only used for cluster registration in the midterm post quantum cryptography capable.
We're introducing initial support for post quantum cryptography algorithms for digital signatures. This aligns with the NIST roadmap and prepares ACS for future cryptographic standards. Improvement to cluster registration secrets, transitioning bootstrap credentials to short lived limited use credentials.
The benefit is configurable expiration, which ensures credentials are only used for cluster registration and reduces the risk of misuse or prolonged validity. Now in long term post quantum cryptography ready, expanding that post quantum cryptography support to include additional algorithms for digital encryption. This ensures ACS is resilient as cryptographic standards evolve.
Lastly, integration with Spiffy Spire. Using Spiffy IDs to authenticate communication between central and sensor components. This simplifies secure cluster registration and enhances authentication mechanisms.
On to ACS Cloud Service, where in the midterm, we're examining ACS Cloud Service self service capabilities. We're introducing these self service features, allowing customers to manage and configure their ACS cloud service instances independently. This gives customers more autonomy over their instances and reduces reliance on support for routine configurations.
Lastly, in the long term goals, ACS cloud service FedRAMP certification. We're working to make ACS cloud service available on GovCloud to meet federal compliance standards, ensuring federal customers have access to FedRAMP certified service. Lastly, the Azure marketplace availability.
We plan to bring a CS Cloud service into the Azure marketplace. This simplifies procurement and allows deployment for customers using Azure, expands accessibility, and again, allows them to leverage a widely used platform onto our last topic ecosystem. Now, in the near term, we're looking at a ServiceNow integration, enabling seamless collaboration between a CS and ServiceNow for vulnerability response and alert management.
This helps our users streamline their workflows for handling vulnerabilities and alerts. It also enhances coordination between teams using ServiceNow, making processes more efficient. In the midterm, we're enhancing the SIGstore integration.
We're adding keyless image signature verification support to improve software supply chain security. This will help automate certificate verification by pulling short lived keys from record during deployment. It also increases trust in image signatures without the hassle of manual certificate management.
In the long term, we're adding additional information sources, integrating data from other security tools to enrich ACS insights. This will help provide a more comprehensive view of vulnerabilities and threats, enhancing overall security visibility. Lastly, cloud providers integration.
We're expanding support to integrate with cloud security tools. This will simplify managing cloud native environments for our customers. And our approach will promote secure best practices by using short lived credentials with Identity Federation to enhance security and streamline cloud service integration.
Now that's all the topics that we had to cover today. Additional resources will be listed in the description below.
