June 22nd 2020
Infosec journalist. Contributing editor for IBM and Tripwire. Writer for lots more.
DevOps teams are responsible for balancing two important forces
in their organizations’ software development efforts: shorter delivery cycle
times for applications that continue to increase in size and diversity.
dependencies that help to improve the efficiency of the software delivery
The issue is when an organization has too many containers to manage. At that junction, many organizations turn to Kubernetes. This platform reduces the operational burden of managing many containers at once.
By making it easier to share software and dependencies with Ops personnel, it frees developers from the manual tasks of running containerized software. This allows them to focus on responding to customers and building better programs in the first place.
Still, containers and Kubernetes aren’t without their security challenges. These issues could leave an organization’s data open to attackers if not properly addressed.
To minimize the risk of a data breach, organizations therefore need to ask their DevOps teams certain questions regarding their containers and Kubernetes environments. They should focus on questions that specifically relate to their Kubernetes configurations, container images and network policies/security practices.
Perhaps the most important question that organizations can
ask with reference to their Kubernetes configurations is as follows:
“Are our Kubernetes configurations providing adequate
security for our containers?”
The answer is probably “no” if an organization is using default configurations. That’s because those settings are meant to facilitate agility and speed in the software delivery process. They’re not designed to promote security.
In response to these and other threats, organizations need to work with their DevOps teams in implementing custom configurations that complement their security needs. They need to be careful in the process, however, as misconfigurations could create more security issues.
Doing so is tantamount to running unknown software on a computer. There’s just no telling what that software program will do; it could produce malicious effects.
For that reason, organizations need to confirm with their DevOps teams that they’re pulling their images primarily if not solely from private registries.
It’s at this point that organizations need to ask their DevOps teams another question: “Can we verify that the container images we’re pulling are safe?” That’s a loaded question, as the container images could suffer from vulnerabilities.
But they’re not. Once pulled down from the repository, the container images run malicious code in their environments. This process enables attackers to access organizations’ infected environments.
Policies and Security Practices
Last but not least, organizations need to ask some additional questions that pertain to their container and Kubernetes security. They should begin by asking their DevOps teams to clarify what’s in their network policies. DevOps personnel should know the traffic flows of the organization, so they should be able to explain how the current Kubernetes network policy supports those channels of communication.
Ideally, the organization should balance those policies with pod security policies. To have these frameworks in place, DevOps teams need to make sure that the admission controller is enabled and that they’ve authorized policies. Failure to do so could prevent any pods from spawning in the cluster.
Next, they should ask, “What other security policies do we have in place?” Organizations should verify that there’s a container security plan in effect. Such a framework should prevent the DevOps team from pulling container images from private repositories only. It should also detail the vulnerability scanning processes for the purpose of limiting containers’ exposure.