A holistic approach to closing the container security gap [Q&A]
Among cloud developers, Kubernetes is now a widely used platform. It's not immune to security incidents, however, and these can lead to loss of revenue or customers.
So, what's the best way to secure Kubernetes systems? Alex Jones, engineering director Kubernetes at Canonical, suggests a need to look beyond containers with a holistic approach to security that spans all layers of the system. We talked to him to discover more.
BN: Many cloud native developers are using Kubernetes today, what is the appeal?
AJ: Take a look under the hood of some of the most cutting-edge cloud native projects, and you'll find Kubernetes. Nearly half of cloud native developers are using Kubernetes, according to recent Slash Data survey results, particularly those working in emerging areas like computer vision, blockchain applications, cryptocurrencies, and biometrics for ID verification. The appeal of Kubernetes is clear: the ability to run highly-distributed applications across environments has helped spark the development of a modern, cloud-native ecosystem. This ecosystem, however, will only fully thrive once the gaps in container security are closed.
BN: Should IT professionals be concerned about security with regards to container adoption?
AJ: Security is one of the biggest concerns IT professionals have when it comes to container adoption, and for good reason. In another recent industry survey, 93 percent of respondents said they experienced at least one security incident in their Kubernetes environments in the last 12 months, sometimes leading to revenue or customer loss.
Additionally, more than half said they've had to delay application deployments because of security concerns -- effectively canceling out any benefit of speed gained from containerization. Fortunately, as Kubernetes adoption continues to grow, new industry standards and best practices are emerging, paving the way for more secure Kubernetes systems. New frameworks and updated tooling will help more heavily-regulated industries and other security-conscious organizations enter the container-driven era. The growth of Kubernetes makes it a more appealing target for bad actors, making the right approach to security all the more important. Securing Kubernetes systems can seem like a daunting challenge, particularly when many organizations and IT professionals are still learning how to properly adopt and manage Kubernetes in production. But for the cloud-native ecosystem to reach its full potential, security can't be an afterthought.
BN: How can companies better protect themselves as the growth of Kubernetes continues to draw security concerns? What are some best practices?
AJ: Ultimately, the best way to secure Kubernetes systems is to look beyond containers -- with a holistic approach to security that spans all layers of the system. Kubernetes comprises several layers, where any vulnerability or misconfiguration opens up a new weakness for attackers to potentially exploit. From container registries to code repositories and host operating systems, every element of the stack needs to be considered.
As it stands, there are few built-in security mechanisms found in Kubernetes, placing the burden of securing containers on the user. There have been attempts to build security into cloud-based products, but that leaves practitioners with a narrow focus -- it is, after all, easier for hyperscalers to design security around user interactions -- and no consideration for one's own data centers. Maintaining a secure Kubernetes system requires continuous effort and a comprehensive approach, but one that's well worth it.
BN: What should container users consider concerning the Federal Information Processing Standard (FIPS)?
AJ: Practitioners considering the Federal Information Processing Standard (FIPS), a set of security standards developed by the National Institute of Standards and Technology (NIST) to ensure the security and integrity of sensitive data, should note it is a requirement for many organizations that handle sensitive information, including federal agencies, government contractors and financial institutions.
To adopt a more holistic security framework, it's important to validate controls from the container workloads all the way down to the host OS. Recently developed frameworks for Kubernetes, such as new Center for Internet Security (CIS) benchmarks, make this possible. The CIS benchmarks hit on all components of a Kubernetes system. They comprise detailed recommendations for three categories: cluster-level security, for clusters built on-premise or in the cloud; node-level security guidance to secure nodes at the OS level; and workload-level security, offering hardening practices for containers, code and other applications on the data plane.
In addition to leveraging new frameworks, Kubernetes users can improve their overall security posture through proper supply chain management. With every new image in their clusters, practitioners should be confident of where it came from, its known vulnerabilities and whether it is up to date, among other things. There are several new projects that are looking at the provenance of OCI (open container images) to ensure they are from trusted sources. For instance, tools like Chainguard's Wofi or OWASP CycloneDX offer, among other things, software bills of material (SBOM) for stronger supply chain integrity. When used in conjunction with full stack scanning and configuration management, these can provide an even smaller attack surface for bad actors.
BN: What are some of the applications of AI we are already seeing with regards to security in Kubernetes?
AJ: AI is being used in various ways to enhance Kubernetes. One exciting application is intelligent scaling, where AI algorithms analyze historical workload patterns and adjust the number of replicas or pods based on predicted demand. This helps optimize resource allocation and scaling.
Another area is auto-tuning and optimization, where AI techniques automatically fine-tune Kubernetes configurations for better performance. AI-powered monitoring tools can analyze vast amounts of data to detect anomalies, predict issues, and enable proactive management. AI can also enhance scheduling, cluster management, and auto-remediation, making Kubernetes more efficient and self-managing.
Additionally, AI-powered chatbots and virtual assistants provide a conversational interface for interacting with Kubernetes, simplifying tasks like deploying applications or managing resources. The combination of AI and Kubernetes opens up exciting possibilities for smarter container orchestration and management.
Image credit: AndrewLozovyi/depositphotos.com