Managing the Kubernetes Security Flaw
News broke earlier this week about the discovery of Kubernetes’ first major security hole. The flaw provided an invisible way to hack into the popular cloud container orchestration system.
According to Wei Lien Dang, VP of products for StackRox, in a statement provided to CIO Dive, the vulnerability was severe and broadly applicable, affecting every version since v1.0 and potentially every Kubernetes user, making it the first major security hole for the popular container orchestration system.
Red Hat fixed the security hole by releasing patches immediately after the flaw was reported which would have been installed with widely used automatic security updates.
“Those quick fixes underscore how security teams react to the inevitable vulnerabilities that surface in enterprise distributions of open-source software, especially popular microservices platforms like Kubernetes that are widely used to deliver distributed applications.” – George Leopold, Enterprise Tech
The task of managing these massive, distributed, systems built on open source technologies is complicated. Because of the open source code base, a worldwide team – both white hat and black hat – can examine the code to find flaws. As new vulnerabilities emerge, companies need to be able to respond in real time, potentially building policies on the fly to identify and then deprecate outdated or vulnerable systems. This relies on the organizations have good, central visibility and up-to-date real-time asset inventories in extremely dynamic environments.
The key tenets of managing these environments is the same as the general security best practices anywhere. Start with knowing what you have. You can’t protect if you can’t see it. And with the dynamic nature of cloud, and containerized environments in particular, getting and maintaining this visibility has be done programmatically and repeated on a continuous basis.
After identifying where the enterprise may be vulnerable, the next challenge is to find ways to remediate and replace vulnerable systems as quickly as possible. Thankfully, in software-defined infrastructure, this can actually be much faster than in traditional data centers. But again, it does rely on the organization knowing what it has, and then defining rules that shed light on the vulnerable infrastructure and workloads
Finally, a proven approach for maintaining the inventory, coupled with tools that allow the customer to define desired good-state or blacklists, on the fly, is key to reacting to new developments.
At DivvyCloud, our software simplifies the job of securing Kubernetes clusters and workloads across public clouds including Amazon Web Services, Google Cloud Platform, Microsoft Azure, and Alibaba Cloud. If you’re interested in learning more, get your free trial of DivvyCloud or speak with a DivvyCloud expert today!
If you’d like to read more on securing Kubernetes, check out our white paper “A Holistic Approach to Securing Kubernetes that Integrates Culture and Technology.“
DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.