Securing your Kubernetes: Harder than it looks

Securing a Kubernetes environment is a difficult task, but ensuring the security of the entire software supply chain is even harder. The true challenge is maintaining end-to-end security in real time as things change dynamically. In order for developers to "just push their code" and utilize Kubernetes as a commodity substrate for application hosting and operations across multiple environments, deep knowledge, intelligent automation, and constant vigilance are required.

One of the major concerns when it comes to software supply chain security is the increasing speed of technology. With modern, container-oriented application design patterns and development methods, a solid Continuous Integration/Continuous Deployment (CI/CD) and application operations automation framework can help organizations move from infrequent releases to frequent releases that are delivered hourly, or as soon as a commit is approved.  

 However, this speed can also be detrimental as vulnerabilities can find their way into running applications from a variety of sources, including insufficiently validated base containers, language modules, and cut-and-paste from unvalidated sources.

Containerization can make it difficult to identify vulnerabilities, and the complexity at scale only exacerbates the problem. Automation can also add to the problem — for example, build processes that make decisions on the fly about which containers and repositories to use, and ops automation that pulls in third-party component containers dynamically. It becomes impossible for humans to police high-speed modern application delivery.

The extended platform of Kubernetes also poses additional risks. Kubernetes often runs on a deep stack, which can include a cloud's network and operations services, the lowest-level host operating systems on bare metal, hypervisors, guest operating systems on each virtual machine, all the Kubernetes components, and Kubernetes extensions for ingress, networking, and service mesh. This makes the attack surface large and vulnerable to threats.

Unfortunately, vulnerabilities and malware will often find their way into production and be exposed to the internet. The metric organizations should focus on is "time to remediate," as the longer a vulnerability is exposed, the greater the chance it will be exploited. According to reports from SecurityScorecard and The Cyentia Institute, 53% of organizations had at least one vulnerability exposed to the internet and 22% had over 1,000 each. On average, it took organizations 270 to 426 days to remediate one vulnerability and 12 months to fix half of their outstanding vulnerabilities.

To improve security, organizations must take a multitude of steps to secure their extended Kubernetes system, including their software supply chain, platform, and underlying infrastructure. This includes implementing security best practices, automating security tasks, monitoring for vulnerabilities, and continuously assessing and improving security.

Are you struggling to scale your Kubernetes clusters while also ensuring their security? Mirantis Professional Services can help: with security platform engineering, audits, and continuous monitoring to protect your Kubernetes platforms and applications.

WEBINAR // THURSDAY, FEBRUARY 23

How to implement continuous proactive security to safeguard Kubernetes

Register For Webinar