Securing Kubernetes – Nature and Nurture Plus Insurance
April 26, 2022

Gaurav Rishi
Kasten by Veeam

Just like health in humans where both nature (e.g., your genetic traits) and nurture (e.g., diet and exercise) play an important role; a healthy Kubernetes deployment too needs to have the right start with secure foundations, as well as secure operational practices to keep your clusters running. However, accidents do occur, and things go wrong unexpectedly, so it is critical to invest in an insurance policy with Kubernetes data protection.

Going to the Gym – Secure Operations

A recent report from the NSA provides a Kubernetes Hardening Guide that is a good example of best practices that serve as a defense against supply chain risks, malicious actors as well as insider threats.

Security hygiene practices of container scanning, encrypting data, segmenting networks, etc. are highlighted well in this guide. Implementing and adhering to these processes starts with organizations understanding the unique risks and challenges that come with securing Kubernetes clusters.

Old methods and tools that relied on securing perimeters and firewalls do not work in this growing cloud-native environment, so it is critical to invest in educating and retooling. Cloud-native applications, built as microservices employ a variety of open-source modules and are deployed in distributed environments, obsoleting the traditional notions of static IP address-based security and enforcement rules.

Building your DNA – Secure Foundations

What the NSA report doesn't cover though is that with the adoption of "Shift Left" principles, not only is security a shared responsibility, but we now also have very capable tools to embed security constructs and polices very early in the software development life cycle. Cloud-native development IDEs now make it a snap to incorporate the best security practices early. For e.g., Right at development time, when creating an object storage bucket, the developer can be auto reminded to ensure that the encryption options are turned on.

The Kubernetes community is also innovating with new constructs that make Policy-as-code easy to author and enforce without being locked into a single vendor solution. For e.g., using policy language authoring and enforcement tools, you can associate a backup policy as a pre-cursor to a stateful application being deployed into production. Kubernetes admission controllers can detect and enforce these policies with mutating web hooks. This follows the principle of security being a shared responsibility. Organizations that build these strong foundations upfront, will not find themselves in a potentially disastrous situation of production applications without backup policies handling mission critical data at run time.

Don't Forget Insurance – Kubernetes Backup and DR

As the deployment of Kubernetes applications increase in scale, so have the attacks from malicious actors. As an example, ransomware is a serious problem for enterprises and is now even expanding to the mid-market segment as this WSJ article highlights.

Organizations need to plan for these disruptions and invest in the right data protection tools. Just like the old perimeter-based approaches don't work in securing Kubernetes, similarly traditional hypervisor-based tools don't work for data protection. Invest and operationalize in the right Kubernetes-native solution that accommodates high-velocity application development cycles with distributed deployment where the infrastructure is abstracted away.

Follow these principles, and there is no reason why your Kubernetes applications will not have a long and health life!

Gaurav Rishi is VP, Product & Cloud Native Partnerships, at Kasten by Veeam
Share this

Industry News

February 02, 2023

Red Hat announced a multi-stage alliance to offer customers a greater choice of operating systems to run on Oracle Cloud Infrastructure (OCI).

February 02, 2023

Snow Software announced a new global partner program designed to enable partners to support customers as they face complex market challenges around managing cost and mitigating risk, while delivering value more efficiently and effectively with Snow.

February 02, 2023

Contrast Security announced the launch of its new partner program, the Security Innovation Alliance (SIA), which is a global ecosystem of system integrators (SIs), cloud, channel and technology alliances.

February 01, 2023

Red Hat introduced new security and compliance capabilities for the Red Hat OpenShift enterprise Kubernetes platform.

February 01, 2023

Jetpack.io formally launched with Devbox Cloud, a managed service offering for Devbox.

February 01, 2023

Jellyfish launched Life Cycle Explorer, a new solution that identifies bottlenecks in the life cycle of engineering work to help teams adapt workflow processes and more effectively deliver value to customers.

January 31, 2023

Ably announced the Ably Terraform provider.

January 31, 2023

Checkmarx announced the immediate availability of Supply Chain Threat Intelligence, which delivers detailed threat intelligence on hundreds of thousands of malicious packages, contributor reputation, malicious behavior and more.

January 31, 2023

Qualys announced its new GovCloud platform along with the achievement of FedRAMP Ready status at the High impact level, from the Federal Risk and Authorization Management Program (FedRAMP).

January 30, 2023

F5 announced the general availability of F5 NGINXaaS for Azure, an integrated solution co-developed by F5 and Microsoft that empowers enterprises to deliver secure, high-performance applications in the cloud.

January 30, 2023

Tenable announced Tenable Ventures, a corporate investment program.

January 26, 2023

Ubuntu Pro, Canonical’s comprehensive subscription for secure open source and compliance, is now generally available.

January 26, 2023

Mirantis, freeing developers to create their most valuable code, today announced that it has acquired the Santa Clara, California-based Shipa to add automated application discovery, operations, security, and observability to the Lens Kubernetes Platform.

January 25, 2023

SmartBear has integrated the powerful contract testing capabilities of PactFlow with SwaggerHub.

January 25, 2023

Venafi introduced TLS Protect for Kubernetes.