The Center for Internet Security® (CIS®) has officially published guidance for hardening Red Hat OpenShift Virtualization. The official publication of the new CIS Benchmark® for Red Hat OpenShift Virtualization is an important development for organizations running traditional virtual machines (VMs) alongside modern containers. OpenShift Virtualization is a feature of Red Hat OpenShift that allows existing VM-based workloads to run directly on the platform. This globally recognized, consensus-driven benchmark provides recommendations for creating a security-focused configuration for those environments. Who is CIS and what is a CIS Benchmark? CIS is a community-driven nonprofit organization, which aims to "make the connected world a safer place" for businesses, governments, and people by developing and promoting best practice solutions. The CIS Benchmarks are one of those core solutions. They are a set of globally recognized best practices to help secure configuring operating systems (OSs), servers, and other technology. Developed and maintained by a global community of IT professionals, the CIS Benchmarks provide prescriptive instructions for creating a security-focused configuration baseline. The new CIS Benchmark for OpenShift Virtualization was developed based on the OpenShift Virtualization Hardening Guide. Key security optimizations The CIS Benchmark provides detailed recommendations to strengthen your security posture by focusing on 4 key areas of optimization, including: - Harden the platform from the ground up: This includes guidance on restricting GPU and USB pass-through to approved devices and disabling non-essential feature gates. - Control workloads at every layer: The CIS Benchmark provides fine-grained controls, such as restricting exec and virtual network computing (VNC) access to approved administrators and disabling features like guest-memory overcommit. - Segment and protect network traffic: This area focuses on using networking controls like Virtual Local Area Networks (VLANs) to isolate tenant or application traffic and applying Media Access Control (MAC) spoof filtering. - Safeguard data integrity in storage: This extends security policies into the storage plane, with recommendations to restrict data volume cloning across namespaces and disable unnecessary shareable disks. How to implement Here is the good news: implementing this benchmark is less about complex reconfiguration and more about simple verification. Because OpenShift Virtualization is engineered to have maximum security controls in place out-of-the-box, you likely have the majority of these protections in place already. The benchmark simply acts as prescriptive guidance to help you audit your environment. To get started, just cross-reference your current setup against the OpenShift Virtualization Hardening Guide to ensure those standard safety settings haven’t been altered. Get the CIS Benchmark By implementing the CIS Benchmark for OpenShift Virtualization, your organization can enforce consistent security capabilities across workloads on your hybrid cloud platform, protecting both your containerized and virtualized applications. To see the full list of recommendations and download the CIS Benchmark, visit the official CIS Benchmarks page. Hub Red Hat Product Security About the author More like this File encryption and decryption made easy with GPG Deploy Confidential Computing on AWS Nitro Enclaves with Red Hat Enterprise Linux What Is Product Security? | Compiler Technically Speaking | Security for the AI supply chain Browse by channel Automation The latest on IT automation for tech, teams, and environments Artificial intelligence Updates on the platforms that free customers to run AI workloads anywhere Open hybrid cloud Explore how we build a more flexible future with hybrid cloud Security The latest on how we reduce risks across environments and technologies Edge computing Updates on the platforms that simplify operations at the edge Infrastructure The latest on the world’s leading enterprise Linux platform Applications Inside our solutions to the toughest application challenges Virtualization The future of enterprise virtualization for your workloads on-premise or across clouds