Virtualization Technology News and Information
Integrating Culture and Technology to Secure Kubernetes

Written by Chris DeRamus, Co-Founder and CTO of DivvyCloud

Kubernetes has become a very popular tool for container orchestration and is recognized as an industry standard among enterprises and their developers. It's a proven framework for deploying containers in the cloud, and is supported by all of the major cloud providers including Amazon Web Services, Google Cloud Platform and Microsoft Azure. Since its induction, the Kubernetes user community has become quite large. In fact, over 85 percent of organizations surveyed reported running containers in GCP and 65 percent using containers in Microsoft Azure run Kubernetes. The reason Kubernetes is so popular is that it can be deployed on practically any infrastructure, is 100 percent open source and supports workload scalability and high availability. 

These capabilities have empowered developers to innovate quickly (an obvious benefit), but also caused a shift in the way they work. Developers now create computing infrastructure on the fly, which is great for continuous improvements, but leaves governance, risk and compliance (GRC) professionals to play catch-up. They are being forced to rapidly understand how to secure Kubernetes at scale, and many are struggling with the transformation, leading to an influx in misconfigurations and other serious risks. As just one example, Weight Watchers suffered a security breach in June 2018 after researchers found that the company forgot to set a password for the administration console of one of its Kubernetes instances, resulting in the leak of an administrator's root credentials, access keys for 102 of their domains, and 31 identity and access management users including users with administrative credentials and applications with programmatic access. Enterprises often try to throw money at the problem, purchasing expensive software that promises to eliminate these types of security concerns. But the only way to take advantage of the cloud and containerized computing paradigm without sacrificing security and compliance is to fuse together cultural shifts and new policies/protocols, as well as the right technology.

Cultural Shift

First, it's important that system administrators gracefully move from a Command and Control to a Trust But Verify management style. This means, system administrators need to take a step back and allow their developers the freedom they need to take advantage of the speed and agility of Kubernetes to reap its benefits, and trust they will not make security mistakes. But this is easier said than done. Many system administrators have a hard time letting developers provision environments independently because of concerns around the lack of consistency that could result. Due to a lack of centralized deployment process, it's not uncommon for databases and storage containers holding highly sensitive information to be left wide open, inadvertently exposing sensitive data. But allowing developers to have more independence promotes the agility, speed, innovation and sense of experimentation required for enterprises to gain and maintain a competitive advantage. Therefore, developers need to be educated on how their actions can impact security and compliance, and be given a new set of steps/guidelines to follow that won't impede their work or lead to gaps in security. As just a few examples, these guidelines could include:

  1. Never experiment with live data in a cloud service.
  2. Always use least privilege access and scope it from the beginning of a project.
  3. Always encrypt data.
  4. Never, even temporarily, expose cloud services for testing purposes.
  5. Never reuse a cloud service that was left unfinished.

Once developers have been educated on these new guidelines, system administrators need to trust developers to follow them, without getting in their way. The "verify" aspect of the Trust But Verify management style means that security and compliance are far too important to be left unregulated. Therefore, automated monitoring and remediation tools must be leveraged as a safeguard. We'll explore this in more depth in the "Automated Technology" section below.

Adhere to Benchmarks and Regulations

Another essential step in securing Kubernetes deployments is knowing the regulations and benchmarks that are already in place, and ensuring adherence. For instance, the CIS Benchmarks for Kubernetes are prescriptive security guidelines that have been defined by representatives from the industry and the government. The purpose of the CIS Benchmarks for Kubernetes is to define a standard for security of Kubernetes clusters. The benchmarks give guidance on security shortcomings and prescriptions for how to remediate existing problems. Additionally, there are numerous regulations a company may be subject to, including PCI DSS, GDPR and HIPPA. Each of these regulations are in place to protect data, and organizations that do not comply could face significant fines. As just one example, Google was fined more than $50 million earlier this year for a GDPR violation. Enterprises must bake any applicable regulations into daily operations, and again, have a system in place to verify compliance at all times.

Automated Technology

In order to ensure the above cultural shifts, new developer guidelines and benchmarks/regulations are being enforced consistently is through the use of automated technology. As a best practice, companies should leverage automated remediation tools that can be configured in a way that is appropriate to a company's software release process, and can incorporate all regulations the company is subject to. If a violation is detected (either of the company's set developer guidelines or an industry regulation), the system can either alert the appropriate developer to take the necessary actions to correct the issue, or automated remediation can be triggered. With automation, system administrators can rest easy knowing their developers have the freedom they need to embrace the self-service nature of cloud and containerized computing, without exposing the organization to security and compliance risks.

Companies should feel empowered to take advantage of the many benefits cloud and containerized computing enables, without feeling like security and compliance have to take a backseat. The self-service model makes introducing misconfigurations a common occurrence unless the proper steps are taken to fuse cultural shifts, new policies/procedures and advanced tools. Adopting a Trust But Verify management approach means giving developers the freedom to experiment and innovate, while also giving systems personnel the tools they need to ensure developers are working securely and adhering to relevant benchmarks and regulations. Combining this philosophy with automated monitoring and remediation tools serves as an essential safeguard to prevent disastrous misconfigurations or compliance violations resulting in huge fines. If companies take this approach, they can continue to innovate quickly and remain competitive, without sacrificing security and compliance.


About the Author

Chris DeRamus, Co-founder and Chief Technology Officer 

Chris DeRamus 

Chris is the co-founder and CTO of DivvyCloud where he leads the engineering teams while driving new innovation.  Chris is a technical pioneer whose passion is finding innovative and elegant new ways to deliver security, compliance, and governance to customers running at scale in hybrid cloud environments.  He keeps his hands dirty and spends much of his time writing code and diving deeply into the latest technologies and services being deployed by partners like Amazon, Microsoft, Google, VMware, and OpenStack.   

Before co-founding DivvyCloud, Chris was the Online Operations Manager at Electronic Arts for the Mythic Studio where he helped design, build and operate large scale cloud infrastructure spanning public and private clouds to run Electronic Art's largest online games (including Warhammer Online: Wrath of Heroes and Warhammer Online: Age of Reckoning). He started his career as a Network & System Administrator at the U.S. Department of Energy where he was mandated with a broad array of technical responsibilities including security and compliance.  

Chris earned his Bachelor of Business Administration in Computer Information Systems from James Madison University.
Published Friday, May 31, 2019 7:26 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<May 2019>