Support Amazon EKS, Azure Kubernetes Service, Google Kubernetes Engine, VMware Tanzu Kubernetes Grid, Red Hat OpenShift, Rancher, and several other self-managed Kubernetes.
Should a Kubernetes resource have indirect access to a cloud account’s administrative role? No, but configurations violating principle of least privileges are common and often lead to disastrous cloud account hijackings.
A recent study by VMware* reveals that 97% of organizations have Kubernetes security concerns (Figure 1)`. In fact, meeting security and compliance requirement is the number one challenge for deploying (59% respondents) as well as managing Kubernetes (47% respondents). A lack of an understanding of Kubernetes best practices and resulting misconfiguration mistakes are an alarming threat to security of cloud native applications.
Fig. 1. #1 Kubernetes Challenge: Meeting Security and Compliance Requirements
Multi-Cloud Increases Kubernetes Security Risk
Today, organizations with production Kubernetes workloads choose multiple public cloud vendors (52%) over on-premises (47%) or a single public cloud (42%) to run cloud native applications. Additionally, each cloud provider uniquely implements its managed Kubernetes service to make it easier for developers to consume essential cloud services such as databases, serverless compute, and load balancers from managed Kubernetes clusters. This makes the need for visibility into entire application infrastructure including relationships between Kubernetes and cloud resources extremely critical for understanding security risks. Additionally, for developers and IT teams, building a consistent approach for managing security posture across cloud providers and data centers isn’t easy.
Kubernetes & Cloud Security Posture Management
CloudHealth Secure State delivers unified Kubernetes & Cloud Security Posture Management capabilities (KSPM) enabling customers with deep visibility into misconfiguration risks across 500 services and resource types including managed and self-managed Kubernetes clusters in a public cloud or data center.
Fig. 2. Violation: EKS ServiceAccount should not have a privileged IAM role
Deep insight into security risk: Users can now leverage multi-cloud search to inspect Kubernetes resource configurations as well as visualize relationships with other resources within or outside the cluster. With support for 1000 security best practices and 20 compliance frameworks, users can proactively identify advanced risks such as connections between a Kubernetes ServiceAccount role and a cloud account’s administrative IAM role (Figure 2) to prevent cloud hijackings. With support for Amazon EKS, Azure Kubernetes Service, Google Kubernetes Engine, Tanzu Kubernetes Grid, Red Hat OpenShift, Rancher, and several other Kubernetes developer teams can improve security and compliance posture of the infrastructure supporting their modern apps in a public cloud or data center.
Speed up preventive response: CloudHealth Secure State has pioneered an event-driven, micro-inventory architecture that detects 95% of security & compliance violations within 6 seconds of a configuration change notification. Each violation is then assigned a risk score based on the blast radius to make it easier for users to prioritize most risky violations. Users can further bolster governance standards and find misconfigurations that otherwise go undetected by creating custom security & compliance rules and frameworks within minutes using our low-code approach. Our mission is to help your team proactively identify and address security violations before a criminal can exploit them.
Fig. 3. Developer requesting a security exception for 1 month to test something
Easier to operationalize security: In a relatively large organization, disseminating alerts efficiently to distributed teams while reducing false positives is key to operationalizing cloud security. CloudHealth Secure State delivers an advanced alerting framework that enables administrators to customize alert messages to provide guidance on company security policy as well as remediation steps. Developers in turn can reduce the volume of alerts by using automation to request security policy exception based on pre-defined criteria such as a security policy, risk, or a resource tag. Administrators in turn can reject invalid requests or bulk approve security exceptions for a specified period (Figure 3). Interactive workflows ensure that security admins and developers can efficiently collaborate to minimize risk.
Getting Started
Built on a scalable cloud architecture, CloudHealth Secure State’s SaaS platform is proven to secure modern app infrastructure driving growth of born in the cloud startups as well as enterprises with thousands of cloud accounts and millions of cloud assets. Fill out this quick form to get a free trial of CloudHealth Secure State and learn how we deliver reliable access to real-time security insights and peace of mind to protect your future cloud growth.
*Source: The State of Kubernetes 2022, VMware