The race to secure Kubernetes at run time


For software developers who primarily build their applications as a set of microservices deployed using containers and orchestrated with Kubernetes, a whole new set of security considerations has emerged beyond the build phase.

Unlike hardening a cluster, defending at run time in containerized environments has to be dynamic: constantly scanning for unexpected behaviors within a container after it goes into production, such as connecting to an unexpected resource or creating a new network socket.

Although developers now tend to test earlier and more often—or shift left, as it is commonly known—containers require holistic protection throughout the entire life cycle and across disparate, often ephemeral environments.

“That makes things really challenging to secure,” Gartner analyst Arun Chandrasekaran told InfoWorld. “You cannot have manual processes here; you have to automate that environment to monitor and secure something that may only live for a few seconds. Reacting to things like that by sending an email is not a recipe that will work.”

In its 2019 white paper “BeyondProd: A new approach to cloud-native security,” Google laid out how “just as a perimeter security model no longer works for end users, it also no longer works for microservices,” where protection must extend to “how code is changed and how user data in microservices is accessed.”

Where traditional security tools focused on either securing the network or the individual workloads, modern cloud-native environments require a more holistic approach than just securing the build. In that holistic approach, the host, network, and endpoints must be constantly monitored and secured against attacks. This typically includes dynamic identity management and access controls to network and registry security.

Copyright © 2021 IDG Communications, Inc.



Source link