Richard Collins, Head of Product, Jetstack explains how Kubernetes and DevSecOps are shifting left to drive secure digital transformation
If container-based architectures are the future of enterprise application development, then Kubernetes sits right at the vanguard. As a de facto standard for container orchestration, the technology is offered across all major cloud platforms today, with a vast and growing ecosystem driving productivity, cost, operational and many other benefits for end users. But as with most technologies, its growing popularity has also led to increased scrutiny from threat actors.
If organisations want to protect their critical cloud workloads from these emerging risks, security teams will need better visibility and control of the machine identities in their Kubernetes environments. Machine identities, otherwise known as keys and certificates, secure all machine-to-machine communications and form the basis of trust in all digital transactions. From here, security teams must nurture closer partnerships with developer teams, to “shift left” and build seamless security into existing workflows.
The story so far
Gartner estimates that by 2025, more than 85% of global organisations will be running containerised applications in production, up from less than 35% in 2019. The shift to this more portable and efficient virtualisation technology has in turn spurred demand for a way to manage, deploy and scale it.
This is where Kubernetes comes in. Now maintained by the Cloud Native Computing Foundation (CNCF), it’s been the go-to container orchestration platform for over half a decade. According to CNCF data from 2021, 83% of its community organisations are using Kubernetes projects in production, 300% growth since 2016.
Why is it so popular? Because with Kubernetes, multiple areas of the business benefit. Operations teams like the improved resource utilisation, while developers love shorter software development lifecycles. For finance and business leaders there are reduced public cloud costs and better support for strategically critical digital transformation initiatives.
Perhaps most crucially from a technology standpoint, Kubernetes is a highly efficient way to maintain core infrastructure which is great for development teams as they can focus application innovation while relying on automation to manage machine identities and other pre-defined security policies.
Expanding the attack surface
Otherwise known as keys and certificates, machine identities provide a foundational layer of security and trust for Kubernetes environments, and across the IT and cloud ecosystem as a whole. By securing machine-to-machine communications using TLS based encryption standards, organisations can mitigate serious attempts to compromise containers, spread malware and steal information.
Yet without full visibility and control, managing these identities can become extraordinarily complex given the highly distributed and dynamic nature of Kubernetes environments along with the huge increase in workload activity that comes from increased automation and development. Traditional on-premises network security tools which mark security boundaries around physical machines are simply too inflexible to protect the hybrid and multi-cloud, highly distributed world of Kubernetes clusters.
Workload misconfiguration is the number one security risk when deploying workloads with Kubernetes and the bad guys have taken note. Attacks targeting misconfigurations and authentication weaknesses are mounting. In February, researchers spotted a cryptojacking campaign from infamous cybercrime gang TeamTNT in which attackers stole container SSH machine identities to spread across Kubernetes clusters. There have even been incidents involving nation state actors, targeting hundreds of US and European organisations via their Kubernetes environments.
Security automation for developers
To mitigate these risks, security teams must lead from the front, by finding ways to apply automated security controls for their colleagues in development. The goal is to gain centralised visibility of all machine identities across Kubernetes clusters and workload certificates, rather than trying to secure each project one-by-one. This can be achieved using open-source tools like cert-manager, which automates the process of obtaining and renewing certificates and works in the background to ensure each certificate is always configured correctly and valid and up-to-date.
However, as Kubernetes clusters grow then scaling multiple instances a tool like cert-manager to run in each cluster can become difficult to manage. Security teams then need to employ a platform solution that provides widespread visibility across all the machine identities and will identify misconfigurations that can be remediated fast. This will help to reduce the cloud attack surface by minimising the opportunities for cyber-criminals and state-backed attackers to take advantage of gaps in protection.
However, finding the right tools is only the first step. DevOps culture often side-lines security in favour of time-to-market considerations. The perception from developers—and sometimes the reality—is that consulting security teams will only slow down projects.
To overcome such concerns, security experts must engage closely with their counterparts in development and offer automated security tooling that slots neatly into existing processes. Some 68% of organisations claim to be implementing such DevSecOps approaches, and with good reason. They promise to deliver the best of both worlds – rapid time-to-value and high quality, more secure software.
Education is key
Progress on this front won’t come overnight—after all, cultural change of this sort can take time. The key to success will be driving education and awareness among development teams and encouraging cross team collaboration and knowledge sharing on security best practices.
Here, the security team once again has an important role to play. The function must work harder to explain, in language that developers understand, why building in protections from the early stages of the development cycle, or shifting left, needn’t slow the pace of innovation. In fact, when it comes to secure machine identities, it will work to burnish the credentials of developers.
Kubernetes is here to stay. But as its popularity grows, so will attempts to probe for vulnerabilities and security gaps. Automated machine identity management is foundational for cloud native security and offers a critical bulwark against such risk. It provides a first-step opportunity to drive true DevSecOps and increase confidence in digital transformation.
Richard Collins is Head of Product at Jetstack
Main image courtesy of iStockPhoto.com