Modern software management is somewhat of a ‘moveable feast’ – always changing and evolving, growing in scale and availability. Cloud-based containers are a prime example; relying on shared virtual isolation to deploy and run applications that access a shared operating system, holding components such as files, libraries and environment variables necessary to run desired software.
On top of that is Kubernetes; an open-source container-orchestration system for automating application deployment, scaling and management. It aims to offer a platform for automating deployment, scaling and operations of application containers across clusters of hosts.
Containers and Kubernetes can be vital in the successful operation of modern-day businesses. However, ensuring security and compliance at the speed and scale required can prove a significant challenge.
One company that seeks to aid organizations in this is Californian-based StackRox. It’s CEO is Kamal Shah, who brings more than 20 years of experience identifying new markets, creating category-defining products customers and building large businesses.
Infosecurity spoke to Shah to learn more about StackRox’s unique offering, the security implications of cloud-based containers and the Kubernetes system, and best practices for ensuring security at scale.
What are StackRox’s chief aims and missions?
StackRox aims to bring automation, scale and simplicity to securing the cloud-native stack, enabling organizations to unify their development, operations and security processes. StackRox has developed a security platform that taps into the native controls in the cloud-native stack so that companies can deploy security as code, building protections and defense directly into the infrastructure.
What are the key security risks (and challenges) surrounding cloud containers and the Kubernetes platform?
Our recent survey found that 40% of the organizations surveyed remain concerned that their container strategy does not adequately invest in security. Another 34% report their strategy lacks sufficient detail. These data points demonstrate that companies are embracing containers and Kubernetes rapidly, but don’t have the security plans or other details for running these systems in place yet.
The cloud-native stack is no different from any other infrastructure in terms of the source of security risk – human error has always topped the list. With the cloud-native stack, that risk translates into misconfigurations. The other issue plaguing container and Kubernetes security is also prevalent in previous security tooling: too many alerts. By focusing attention on the riskiest deployments, organizations can remediate the problems with the biggest impact on their security posture.
Is more security awareness around containers/Kubernetes required, and how can that be achieved?
Organizations of all stripes are still on the learning curve for containers and Kubernetes for development, operations and security. The good news is that developers, DevOps teams and security staff are all coalescing around a shared understanding that security is everyone’s responsibility. Containers and Kubernetes bring a tremendous opportunity to build security directly into the infrastructure. To operationalize security effectively, organizations need security tooling that is native to Kubernetes, shifts security left and incorporates DevOps best practices and internal controls as part of their build and deploy process. Having tooling that spans security and developer domains is critical to building the shared knowledge at the heart of successfully protecting the cloud-native stack.
Can you provide some best practices to ensure Kubernetes security?
Ensuring adherence to best practices is half the security battle. The other side is automating the process of checking that those best practices are being followed. In a sprawling Kubernetes environment, manually checking configurations is simply not practical. Like all people, developers can make mistakes, especially given that Kubernetes configuration options are many, security features are not enabled by default and most of the community is learning how to efficiently, and effectively, configure Kubernetes.
With that in mind, follow these best practices to ensure Kubernetes is configured securely:
- Update Kubernetes to the latest version
- Use Pod Security Policies to prevent risky containers/Pods from being used
- Use Kubernetes namespaces to properly isolate your Kubernetes resources
- Use Network Policies to segment and limit container and pod communication
- Create policies to govern image provenance using the ImagePolicyWebhook
- Securely configure the Kubernetes API server
- Securely configure the kube-scheduler
- Securely configure the kube-controller-manager
- Secure the configuration files on the master node
- Securely configure etcd
- Securely configure the Kubelet
- Secure the worker node configuration files
Then look to your security tools to make sure these and other DevOps best practices are followed.