The Home of the Security Bloggers Network
Home » Security Boulevard (Original) »
Kubernetes is at the forefront of the container orchestration market. A majority of organizations running container workloads manage at least some of them via Kubernetes. However, according to the Red Hat State of Kubernetes Security report, 94% of organizations encountered a serious security incident within their container environment. Of these, 69% of these incidents were security misconfigurations, 27% were runtime security issues and 24% were known vulnerabilities.
Hackers have definitely discovered Kubernetes, too, and are exploiting its security weaknesses. However, security technology is catching up. A new security category, eXtended Detection and Response (XDR), promises to close some of the security gaps created by the container revolution.
Let’s review some of the key Kubernetes security concerns in a production environment. For more background, see this detailed guide to Kubernetes security.
Organizations require solid governance policies to dictate how images are stored and retrieved from image registries. It is important to create container images from approved, secure base images and scan images at all stages of the development life cycle. Organizations must also ensure they only use images from trusted image registries.
Pods and containers communicate over the network, both within Kubernetes clusters and with other external and internal endpoints. If a container is compromised, the capacity for a cybercriminal to move laterally within the environment is directly connected to how widely that container may communicate with other different pods and containers.
In a sprawling container environment, enforcing network segmentation can be prohibitively challenging. In a large cluster, it is not feasible to configure policies manually and automating them requires special expertise or dedicated security tools.
In line with a DevOps approach, Kubernetes intends to simplify operations and management and speed application deployment. Kubernetes provides a comprehensive set of controls that organizations can use to secure clusters and their applications successfully.
Kubernetes network policies, for instance, act similar to firewall rules that dictate how pods communicate with endpoints and each other. When a network policy is applied to a pod, that pod can communicate solely with the asset specified in that policy. However, because Kubernetes does not connect a network policy to a pod by default, all pods can communicate with all other pods in a default Kubernetes environment. This creates a major security risk.
An additional configuration risk is associated with secrets management: How sensitive information, including keys and credentials, is accessed and stored. It is common to store secrets in plaintext within Kubernetes configurations or containers, but this creates severe security risks.
Organizations must use secrets management mechanisms—either those provided by Kubernetes or via third party solutions—to ensure credentials are secure. It is critical to periodically scan the environment for any secrets that are accidentally exposed.
Cloud-native environments present challenges when adhering to regulations, industry standards, security best practices, industry benchmarks and internal organizational policies.
Organizations not only have to remain compliant, but they also have to show proof of compliance. It can be difficult to ensure that Kubernetes adheres to security controls when these were originally defined for conventional application architectures.
Furthermore, containerized applications are dynamic and distributed by nature. Organizations must put in place automated monitoring and observability strategies to ensure compliance and enable auditing when operating at scale.
XDR is a cross-layered response and detection tool. It collects and correlates information across several security layers such as email, endpoints, applications, servers, networks and clouds. This comprehensive approach offers greater visibility into an organization’s technology environment so that security teams can identify, investigate and react to threats more efficiently and successfully.
Compared to conventional security solutions, XDR can perform deeper investigations and unite all data into one holistic incident identification and response solution. Rather than sifting through countless events from multiple tools, security teams can view the entire attack story in one interface, make logical connections between events and swiftly act on the information to mitigate threats.
XDR is especially suited to containerized environments because of its ability to combine data from different IT systems and security tools into a coherent attack story. Kubernetes clusters generate different operating metrics from traditional environments and are supported by new types of monitoring tools, such as Prometheus.
XDR can make sense of these metrics, combining them with data from endpoints, networks and cloud resources. This enables:
In particular, XDR solutions can leverage attributes like cluster, node, deployment type, pod name, container image and container ID, report them to operators and use them in behavioral analysis. These attributes are critical to understanding how threats are impacting a Kubernetes environment.
XDR can help discover threats like unknown malware and infected container images, zero-day attacks and in-memory attacks that cannot be detected by legacy antivirus solutions. In addition, XDR can enable opening a remote shell to any element in the Kubernetes environment—a node or a specific container—to investigate threats, collect forensics, contain and mitigate attacks.
In this article, I covered the basics of Kubernetes security and explained how XDR, a new type of security solution, can help protect Kubernetes clusters. XDR enables rapid investigation of security incidents in a complex containerized environment, data exploration and threat hunting, and enables automated response by integrating with tools in the Kubernetes environment.
In essence, XDR bridges the gap between traditional security tooling and the new entities and metrics found in tomorrow’s containerized environments.
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Oracle, Zend, CheckPoint and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.
gilad-david-maayan has 5 posts and counting.See all posts by gilad-david-maayan
The Home of the Security Bloggers Network