Kubernetes Risk Management: A Framework to Assess Kubernetes Security Risk in Bank XYZ

Abstract

This study aims to design and implement a Kubernetes Risk Management Framework (Kube-RMF) tailored to Bank XYZ’s digital banking environment in compliance with Indonesian financial regulations. Using a qualitative descriptive method, the research integrates industry best practices such as CIS Kubernetes Benchmarks, OWASP Kubernetes Top 10, and NIST SP 800-190 with the requirements of POJK 11/POJK.03/2022. Data collection was conducted through document analysis, in-depth interviews with IT security, DevOps, and compliance teams, and technical vulnerability scanning using tools like Trivy and kube-bench. Risks were identified and assessed by mapping threats and vulnerabilities to Kubernetes assets, defining Key Risk Indicators (KRIs), and applying scenario analysis based on ISACA’s Risk IT Framework. A gap analysis compared current practices to the designed Kube-RMF, followed by a pilot implementation on AWS EKS to evaluate effectiveness. Results show that misconfigurations are the most prevalent security risk, followed by exposed APIs, insufficient access control, and unscanned container images with critical vulnerabilities. Implementation of Kube-RMF reduced high-risk vulnerabilities, improved compliance readiness, and shortened detection time from weeks to hours. Embedding security into CI/CD pipelines also enhanced collaboration across teams without slowing development cycles. Despite challenges such as change resistance, skill gaps, and limited monitoring resources, Kube-RMF effectively bridges regulatory compliance and operational needs, strengthening resilience against evolving cloud-based cyber threats.