It’s hard to overstate how much Kubernetes simplifies the process of code deployment. Rather than tediously installing software across a fleet of servers, developers can package up code into container images and hand them off to Kubernetes to run. With Kubernetes, developers don’t need to worry about concerns like disk space, or how many copies of an application they might need—Kubernetes takes care of all that. And instead of building larger and larger apps, Kubernetes encourages developers to scale horizontally, simply adding more versions of the app where necessary. For startups, it’s a godsend—if they take off and need to scale quickly, Kubernetes makes that process much simpler.
This has led to skyrocketing adoption rates as developers and engineers understandably leap at the opportunity to make their lives easier. Unfortunately, this often means security becomes an afterthought. In many ways, the rise of Kubernetes compares to the rise of the cloud—and security professionals no doubt remember the massive increase in cloud-based breaches before security teams were able to catch up. Organizations using Kubernetes need to understand the potential risks that come along with it—and prioritize remediating them.
The challenge of securing Kubernetes environments
Kubernetes environments are hard to secure because of the relative lack of security expertise with the technology. It’s a new technology, so security professionals with Kubernetes expertise are few and far between—and those who do exist are highly sought after, which can make them inaccessible to all but the largest companies with the deepest pockets. That said, smaller companies don’t necessarily need an in-house Kubernetes security expert—it may make more sense to turn to a third-party advisor or security provider that can supply the necessary expertise.
One way or another, it’s critical to have that expertise because there’s no “plug-and-play” fix for Kubernetes security. There are products that can help with parts of the problem, but deploying them effectively requires the organization to have a thorough understanding of how to install, use, and maintain them. On top of that, organizations need to know what their desired outcomes are. Certain products can protect Kubernetes environments in different ways, and knowing which one to use requires organizations to have a firm grasp on their specific security needs.
Get everyone on the same page
For security leaders, it’s become a challenge to understand the current versus desired state of security in their Kubernetes infrastructure. Too often, they view as a black box that’s isolated in hopes that strong access controls alone will reduce the likelihood of security issues. This “put it in a closet and throw away the key” approach can lead to nasty surprises. Organizations are quickly learning that visibility in Kubernetes is important at several layers: the cloud control plane, Kubernetes control plane, and container runtime. Monitoring these three “layers of the onion” for best practice violations and risky/suspicious activity ensures that the team has a fighting chance at discovering security issues before they escalate.
Technical challenges aside, security teams often find themselves unable to effectively transact with DevOps on risk in Kubernetes – it can feel like teams are speaking completely different languages. The organizations that are successful have developed strong, collaborative relationships between security and engineering teams. This requires a shared language and, most importantly, empathy. Teams that spend their time butting heads instead of collaborating are missing the big picture: they both want the same things: to helo their business succeed.
Start by working closely with those employees who are actually using Kubernetes. The engineers and developers engaging with Kubernetes every day will almost certainly have the best understanding of where its potential vulnerabilities lie and how to remediate them. Kubernetes promises increased productivity, so it’s critical to work with developers to identify ways to address vulnerabilities without compromising that productivity. With a thorough understanding of the specific risks they face and the specific goals of their developers, organizations can turn to security integrators or other outside experts for advice regarding which security solutions best meet their needs.
The advantages Kubernetes offers when it comes to deploying, maintaining, and scaling applications mean that adoption rates will only increase. But the lack of institutional knowledge regarding Kubernetes and how to protect it means these environments will continue to stay vulnerable. It’s critical for today’s organizations to seek out the necessary expertise to better understand how to keep Kubernetes environments secure. That means working directly with the engineers and developers who operate in those environments and bringing in outside help when necessary. By identifying and remediating known vulnerabilities, organizations can avoid becoming an easy target for attackers.
Dan Whalen, senior manager, R&D, Expel