Datica's Compliant Kubernetes Service (CKS) makes your cloud workloads compliant to the standards of HIPAA, HITRUST, GDPR, GxP and more.

1. + =
Compliant Kubernetes Service (CKS)
Security and compliance for a containerized cloud

2. Why Kubernetes?
• 2014: Datica builds the Legacy Platform (PaaS) from scratch — almost
every component was built by Datica engineers;
• 2015: Many modern, standard, orchestration and containerization
tools were immature, and not ready for production use at the time —
Kubernetes didn't hit a 1.0 release until summer 2015;
• 2014-2018: Many customer’s needs grow over this period of time. The
Platform becomes too restrictive and inflexible for their use cases.

3. Why Kubernetes?
• The road to Kubernetes: We began looking into Kubernetes as a
replacement for our Platform;
• Replacing the Platform: During testing, POC and market validation,
we made the decision to go all in on K8s and build a compliant
kubernetes offering.

4. Why Kubernetes?
• Benefits of Kubernetes: Open source community backed by hundreds
of technology organizations world-wide, mature enough for
production, alignment of values, cloud agnostic, etc.

5. The CKS Model
• Deployment model: CKS is deployed into your AWS account (“On-
account”). Datica locks down the underlying infrastructure and
configures compliance checks to ensure you’re continuously
compliant against HIPAA, HITRUST CSF, GDPR, GxP, and more;
• Compliance value: Datica still maintains our first-in-class BAA
ensuring that we take on as much liability as possible;

6. The CKS Model
• Support: Datica offers basic support and premium support. Like most
Kubernetes managed services, Datica’s support model ensures the
cluster’s master control plane is functioning properly;
• Services: Datica offers compliance and security services to help you
strengthen your compliance posture in the cloud.

7. The CKS Model
• On-going maintenance: Datica manages major Kubernetes and
managed deployment upgrades and patching. In addition, Datica also
ensures the underlying operating system (CoreOS) is patched and up
to date.

8. Logging collection: CKS ships with a pre-configured instance of
FluentD — responsible for ensuring logs are collected and made
available to the entire system;
Logging access: Alongside of FluentD, CKS ships with
Elasticsearch — responsible for archiving logs and providing
them to the logging UI;
Logging

9. Core monitoring: In an effort to ensure compliance, health of
the Kubernetes cluster, associated hosts, and containers, each
CKS license comes pre-configured with a Prometheus
monitoring instance;
Visualization: To expose the monitoring work being performed
by Prometheus, CKS comes pre-configured with a Grafana
instance for visualizing your logs in realtime;
Monitoring

10. Vulnerability management: A core component of compliance,
and essential to mapping CKS to the HITRUST CSF, Datica
provides external vulnerability scans via Nessus. In addition to
that, our system is aware of what is happening on the CKS layer
through configuration monitoring and management;
Intrusion detection: As another core component of compliance
is an effective intrusion detection system. CKS ships with a pre-
configured instances of Falco to manage intrusions and access;
Vulnerability Scanning & Intrusion Detection

11. Antivirus: In an effort to to detect viruses, malware, trojans &
other malicious threats, each Datica CKS cluster ships with an
instance of ClamAV.
Backups: All volumes are automatically backed up to S3 (Azure
Block Blob) on CKS.
Antivirus & Backups

12. Shared Responsibility Model
Application SecurityYou Training User Policies Admin Compliance
Container
Orchestration
Datica OS Level Patching Volumes Backups Key Management
System
Configuration
Disaster Recovery Intrusion Detection Logging
Breach Reporting
Vulnerability
Scanning
Antivirus Monitoring
Encryption Networking Updates
HardwareAWS AZ/Regions Edge Locations Physical Security

13. Shared Responsibility Model
Datica’s Cloud
Cloud Compliance
Management System
Secured ingestion
connection from your
cluster to the Datica
HCMS.
Datica’s Responsibility
Your Responsibility
Your Cloud Account
Kubernetes
Datica secures and
locks down your
cloud infrastructure.
Datica is responsible
for the compliance
“of” the cluster.
You are responsible
for compliance
within the cluster
(your containers).
Datica secures the
firewall between your
cluster and the rest
of your cloud
account.