In a recent Black Hat webcast, “Securing Containers and Kubernetes-Orchestrated Environments,” sponsored by VMware Carbon Black, guest speakers Sheila A. Berta, Offensive Security Specialist, Dreamlab Technologies and Haim Helman, CTO, VMware Carbon Black App Security, VMware Security Business Unit, examined the challenges and best practices for securing containerized environments.
As more applications get developed using containers, organizations need to understand how to deal with security risks and the types of attacks to defend against. However, knowing about the risks faced is only half of the battle. Fortunately, this webcast provides strategic and tactical steps for securing containers and Kubernetes-orchestrated environments.
While we recommend watching the entire recorded webcast for detailed explanations, here are a few highlights from the recent event.
The Road Towards Continuous Security and compliance in Kubernetes
Haim Helman opened his presentation on the need for organizations to re-evaluate security in this transition to cloud-native.
“How do we achieve better resiliency and not compromise security in this journey?” he asked.
Many organizations are eager to realize the potential value and agility from Kubernetes environments but security must not be an afterthought and should be “top of mind,” recommended Helman.
The following container security risks were discussed on the webinar:
- Applications have vulnerabilities and may have hidden malware – Helman explained that often there is no perfect isolation in containers and that can lead to vulnerabilities.
- All containers communicate with each other – While communication is essential to reap the benefits of microservices, it can also be a risk within the Kubernetes structure.
- Containers running rogue or malicious processes – If a container is compromised, the attacker can potentially take over the host and impact the other containers.
- Containers not properly isolated from the host – A successful attack on a container can affect the host if containers are not effectively segmented from the host.
Helman described Kubernetes as “a very powerful API that can control our cloud in a uniformed way.” However, as he added, “Kubernetes makes it easy to expose workloads to the internet (and attackers), if they don’t have strong authentication and security measures.”
But what are the types of attacks impacting Kubernetes?
Examination of Attacks
Helman explained that while Kubernetes and cloud environments’ dynamic nature allows developers to move fast, they also create technical and organizational challenges for security. Unsecured APIs allow attackers to penetrate and take control of the cloud clusters. The opportunities for attackers include:
- Remote access to workloads
- Access to secrets
- Container escape on the host
- Access to cloud resources
- Escalate privileges
One famous example shared was how cybercriminals gained access to the cloud environment to hijack workloads and use the compute resources for crypto mining.
Overall, as Helman explained, these risks are the result of running Kubernetes environments without proper security measures such as access control and monitoring.
Now, with an understanding of the challenges faced, how should organizations implement security in these environments?
Strategic and tactical steps for Kubernetes security
As mentioned, being aware of the risks is only the first step. Helman then launched into some possible solutions to these challenges.
Top security measures for Kubernetes include:
- Posture management
- Continuous compliance
- Threat investigation and correlations
- DevSecOps enablement | Automation
Covering these measures set the stage for a further discussion on including security in the early stages of development.
Infusing Security into DevOps
Helman recommends that security must be “infused” into DevOps to help secure Kubernetes environments; and in doing so, the Build, Deploy and Operate phases should have security integrated throughout the application development lifecycle.
Traditional security approaches fail to meet today’s evolving needs. Furthermore, with the need to be agile and continuous in integration and deployment, security tools need to work in accordance with those goals.
Key strategies for accelerating security in modern workloads
Helman recommends the following:
Build phase – Deploy vulnerability scanning as well as Kubernetes configuration hardening to go through code in the initial build phase.
Deploy phase – Policy governance, compliance reporting, visibility and hardening – all these can help define what is allowed or not allowed in your Kubernetes environment.
Operate phase – Implement tools that assist in threat detection and response, anomaly detection, and event monitoring.
Helman’s presentation was a compelling look at Kubernetes security because he gave insights into the risks and challenges faced and the strategies to find solutions to these problems.
Securing Docker containers: technical explanation and analysis
Featured presenter Sheila Berta started her discussion with the topic of securing Docker containers. To address the challenge of compromised containers, according to Berta, organizations should implement “fine-grained” access control. Docker uses six kernel namespaces to provide isolation of containers.
“This tool allows you to pipe the output of strace through it and will auto-generate a docker seccomp profile that can be used to only whitelist the syscalls your container needs to run and deny-list everything else,” according to Berta.
Other implementations to improve the security of containers covered include the Docker support of Seccomp profiles.
Securing Kubernetes
An overview of the Kubernetes architecture – with its master node and worker nodes – was presented and explained as a foundation. Also covered were topics on securing Kubernetes components communications and API Authentication.
Kubernetes authentication mechanisms, explained Berta, can be broken down into three categories:
- Basic (user/password or token)
- TLS Certificates
- LDAP, Kerberos, etc.
Berta also explained that since Kubernetes does not encrypt secrets, developers must use third-party open-source solutions to provide security. Examples of these third-party solutions include:
- HashiCorp Vault
- CyberArk Conjur
- Confidant
Sheila Berta ended her presentation with a discussion on network policies and in particular, the need for creating specific communications so the pods can communication with each other but only within defined security policies.
Conclusion
The webcast ended with a Q&A session between the attendees and the presenters. A question around tools to automate security in Kubernetes and containers surfaced that Haim Helman answered. While many tools can be used, Helman again stressed the importance of introducing these security measures early in the development process.
“As code is pushed into other stages, you can look for vulnerabilities and anomalies then apply polices,” he added.
This response seemed appropriate to reinforce one of the presentation’s key themes: the shift of security towards DevOps in Containers and Kubernetes environments. Security must be at the early stages of development with containers. Fortunately, this webcast provided not only the background and examination of risks, but tactical and strategies to secure these environments provided by presenters Sheila A. Berta and Haim Helman.
Be sure to watch the entire recorded webcast “Securing Containers and Kubernetes-Orchestrated Environments”!