The risks of not knowing how many Kubernetes entries your organization has


The risks of not knowing how many Kubernetes entries your organization has
Thu, 19/05/2022 – 09:42

What risks do I face using containerization in the cloud?

As companies rush to implement containerization in the cloud, the efficiencies provided may not be properly accompanied by appropriate security measures. Some consequences of migrating with inappropriate or incomplete machine identity management practices are serious. Attackers can access the cloud at any vulnerable endpoint and pivot laterally across the network from there. This risk can be serious, considering the number of services, connected devices, virtual machines, executables, containers that your organization relies on in the cloud.

The high number of endpoints that have their bearings in the cloud naturally increases the attack surface and makes it a more lucrative target. Last year, the 2021 Verizon Data Breach Investigation Report (DBIR) declared that cloud breaches had for the first time overtaken on-premises breaches. This is not surprising, given that the cloud is not only growing in reach but in popularity. According to a report by Flexera, more than 50% of organizations moved to cloud-hosted workloads in 2020 alone, and 93% of them had a hybrid strategy, meaning they still had to oversee the management of identities of machines on site. Adding to the complexity of the cloud, Forest reported an increase in container adoption by developers to 42% in 2021.

Considering the increasing trend and reliability, efficiency and productivity of cloud containers, we can be sure that we will only see more of them in our environments in the future. Therefore, it becomes imperative to become an expert in how to secure them.

Are your Kubernetes entries secure?

What is penetration and why should we protect it? ISACA defines entrance as “incoming network communications”. This is any single entry point into your deployed applications, and ingress protection protects the application itself.

Machine identities, including digital keys and certificates used in your Kubernetes cluster, protect Kubernetes entries. If a certificate expires, you experience an outage. If a machine’s identity is compromised, you can allow an attacker in your container to pivot to other areas of your network. If a certificate is not secured with a trusted certificate authority, it can expose your entire cluster to potential theft and permission abuse.

There are many things that can go wrong leaving the gates of your ecosystem unattended. And those same efficiencies that make Kubernetes work so well can be leveraged to create effective malware attacks with maximum damage.

So I will ask again. How many inputs are used within your organization? How many different cloud-native applications have been deployed? If you can’t answer these questions, you have no visibility into the risks these intrusions pose. And if you don’t understand the risks, you can’t implement solutions to prevent them.
What if your developers are already using cert-manager to secure containers?

This is good news. The very popular open source certificate manager is used to help manage X.509 certificates in Kubernetes clusters. With over half a billion downloads in 2021 alone, it’s the de facto standard for helping cloud teams manage TLS certificates used for ingress. But did you know that the company that developed cert-manager is now part of Venafi? In 2020, Venafi acquired Jetstack, the inventors of cert-manager. Later that year, we donated cert-manager to CNCF but continue to be major contributors.

By using cert-manager, organizations not only have the necessary visibility into entries, but can also help reduce the risk of unprotected entries or those using misconfigured certificates.

But that’s only part of the problem that needs to be solved to truly secure entrances. While a single certificate manager instance within a Kubernetes cluster can provide visibility and protection for that cluster, an organization does not have enterprise-wide visibility across multiple Kubernetes clusters.

Additionally, organizations are not able to enforce the use of specific versions of cert-manager or ensure consistent configurations across these deployments. They also cannot guarantee that the versions of cert-manager used are commercially supported (beyond community support) and compliant with regulations, such as FIPS.

So while cert-manager is fine for development environments, more is needed when the Kubernetes application is deployed in production.

How can Jetstack Secure improve the protection I already have?

From the perspective of a production-ready enterprise, Venafi’s Jetstack Secure is designed to take ingress security to the next level. Jetstack Secure comes with a signed and FIPS compliant version of known version cert-manager. Through integrations with popular enterprise security platforms such as the Venafi Trust Protection platform, Jetstack Secure ensures that corporate machine identity security policy is adhered to, even under of a Kubernetes deployment. And it’s done without slowing down DevOps and cloud-native teams.

Venafi Jetstack Secure takes on all responsibilities for protecting your ingress within the Kubernetes cluster. By working in tandem with the Venafi Trust Protection platform to provide a central point of control for all machine identities in both classic (traditional IT infrastructure) and cloud native environments. It combines the certificate management services of cert-manager with the visibility, automation and intelligence of the Venafi platform, and gives you a better knowledge of the state of the identities of the machines that defend your entries: in and out of the cloud.

Venafi Secure Jetstack combines cloud-native machine identity security with an automated PKI to protect your X.509 certificates on Kubernetes and OpenShift clusters. It allows you to:

  • Automate X.509 visibility and control that protects your ecosystem entries
  • Avoid certificate misconfigurations within your clusters
  • Proactively monitor entry points within your clusters and limit malware attempts
  • Establish a full infrastructure-wide chain of trust by applying pod-level security
  • Get all the benefits of the Venafi Trust Protection Platform (TPP) (plus the capabilities of a Jetstack certificate manager) to manage certificates on Kubernetes and across your entire infrastructure.

Misconfiguration is one of the most common issues facing Kubernetes today and can make ingress insecure. With Jetstack Secure extending the Venafi platform, you can have complete visibility into the configuration status of all X.509 on your Kubernetes and OpenShift clusters, and all from a single control panel. Containerization and virtualization are cutting-edge technologies and require cutting-edge cybersecurity solutions. We cannot protect the next generation with the last.

Similar Items


About Author

Comments are closed.