The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the graduation of Argo, which will join other graduated projects such as Kubernetes, Prometheus, and Envoy.
The move to the cloud has steadily grown over the last decade, with more and more cloud-based applications released on a nearly daily basis. This growth is expected to accelerate even more in 2021, with a recent survey finding more than 40 percent of North America enterprise leaders want to significantly increase cloud spending this year. The pandemic has instigated a sense of urgency from leadership to ensure cloud applications are protected and as a result, security teams have had the considerable task of protecting these rapid deployments under extreme time constraints. Cloud computing and cloud native applications have become the foundation of digital business and security leaders must have the skills to protect them.
At the heart of these cloud-native applications is Kubernetes — one recent report found 85 percent of IT leaders agree that it is key to cloud-native application strategies. Kubernetes is a fast-moving and often complex platform that requires users to stay up to date on new skills and technologies. Because of this, cloud-native applications have been a hot target for hackers with discoveries of malware campaigns like Hildegard highlighting how groups are able to launch a large-scale attack through a Kubernetes cluster when organizations are not resilient.
If security teams cannot prioritize or secure their Kubernetes deployment, the entire cloud application stack and larger organization are at high risk. When not protected, attackers are able to take advantage of cluster settings and escalate privileges to gain full control, which can result in company breaches and the exploitation of private data. Cybersecurity teams should follow these steps to better protect their data stored in the cloud from attack.
1. Configure the Kubernetes orchestration layer
The Kubernetes orchestration layer is an integral part of cloud-native platforms and allows for the optimization and streamlining of repeatable processes. It turns individual tasks in the cloud into an optimized workflow — reducing errors and increasing cost efficiency. It's essential that the orchestration layer is configured for ongoing protection and compliance.
Instrumenting and hardening Kubernetes for a secure deployment can often be complex and is best actioned by organizations in four stages.
1. Aligning on policies: Businesses must configure and use Kubernetes-native security controls including role-based access control (RBAC), pod security policies (PSP), network policies, and secrets management. These should be used, as a small change during deployment — like exposing an RDP port — could lead to a severe breach.
2. Better connecting DevOps and security: Locking down both the Kubernetes control and data plane configurations should be a priority for IT teams. There is an overwhelming number of settings that DevOps and security teams must collaborate on to set correctly and lock down a Kubernetes deployment.
3. Adding in an extra layer: Organizations should consider augmenting Kubernetes-native functions with additional controls, including micro-segmentation firewalls, encryption, and image scanning. Doing this ensures applications stay in compliance and secure in an ever-changing landscape.
4. Adopting a service mesh: A service mesh allows users to control how different elements of a cloud application share data with one another. This infrastructure layer in the cloud can document how Kubernetes applications interact. Configuring and protecting the broader Kubernetes ecosystem with service mesh mitigates risk between Kubernetes services through end-to-end encryption, saving time for IT teams in the long run.
2. Prioritize Kubernetes visibility and control
Observability and insight into an organization's Kubernetes is essential to achieving and maintaining cloud security. IT teams should aim for deep visibility into Kubernetes app performance, security, and availability to protect and evolve their infrastructure and business. With insights, IT teams can reduce outages and downtime, understand who and what is accessing and running their Kubernetes environment, discover the cause of potential cloud issues, and detect potential vulnerabilities.
Developing a deep level of visibility requires entrenched hooks in the container environment with access to core Kubernetes attributes, which is impossible through log monitoring alone. A Kubernetes security approach should provide kernel-level visibility into all Kubernetes activity, configuration settings, and security controls.
3. Utilize the CIS benchmark as a guardrail
Kubernetes has hundreds of possible configuration settings and many of them have profound security and compliance implications, often making it challenging for IT teams to configure their deployment securely. To address this concern, the Center for Internet Security (CIS) has shared a security guideline for configuring both the Kubernetes control and data planes. The CIS shares detailed recommendations around control plane components and configuration, worker nodes, kubelet, policies (including pod and network-specific), secrets management and admissions control. It is recommended that experts automatically run the CIS benchmarks to protect their Kubernetes deployment to its fullest extent. Teams should continue tracking and monitoring their clusters in real time and flag when a configuration change differs from a benchmark recommendation. If this is done routinely, the CIS benchmark becomes a strong guardrail that allows teams to adjust a deployment without impacting their security and compliance posture.
Kubernetes is an essential part of an organization's cloud platform and should be prioritized when taking steps to secure company data. Focusing on Kubernetes visibility, activity and configuration reduces the potential risks of blind spots and unforeseen attacks. Instrumentation and control of Kubernetes, in addition to leveraging the CIS benchmark, are essential steps to protecting Kubernetes in 2021 and beyond.