When security is ignored, organizations are putting at risk the core benefit of faster application development and releases. But security and agility do not have to be in contention.
A recent Red Hat survey with more than 300 respondents, covered in our 2022 State of Kubernetes security report, identified the most pressing security needs and offered suggestions for putting your organization on track to protect security in Kubernetes environments.
Our findings show that what happens in the build and deploy stages has a significant impact on security, as revealed by the prevalence of misconfigurations and vulnerabilities across organizations. Security, therefore, must shift left, embedded imperceptibly into DevOps workflows instead of being "bolted on" when the application is about to be deployed into production.
Note: Most of the material in this article comes from the Red Hat report, 2022 State of Kubernetes security.
Top Kubernetes security tasks identified in the survey
Organizations expect a security solution that protects containers and Kubernetes at every phase. Security starts at the earliest phases of development, such as choosing secure third-party libraries, and extends to runtime monitoring and detection.
The methods used to protect applications span DevOps and security activities, underscoring the need for both in a DevSecOps approach in which the development, operations, and security teams collaborate.
The most important security tasks that respondents identified as "must-have" capabilities in Kubernetes (Figure 1) were:
- Runtime threat detection and response (chosen by 69% of respondents)
- Configuration management (chosen by 68% of respondents)
- Image scanning and vulnerability management (chosen by 65% of respondents)
When the respondents refer to configuration management, they are pointing out that security must currently be dropped into many different properties of YAML files with a variety of isolated parameters that are hard to learn and coordinate.
Tips for starting on a stronger security course
The 2022 State of Kubernetes security report ended with the following suggestions.
Use Kubernetes-native security architectures and controls
Kubernetes-native security uses the rich declarative data and native controls in Kubernetes to deliver several key security benefits. Analyzing the declarative data available in Kubernetes yields better security, with risk-based insights into configuration management, compliance, segmentation, and Kubernetes-specific vulnerabilities.
Using the same infrastructure and its controls for application development and security reduces the learning curve and supports faster analysis and troubleshooting. This consistent infrastructure also eliminates operational conflict by granting security the same automation and scalability advantages that Kubernetes extends to infrastructure.
Start security early, but extend it across the full life cycle
Security has long been viewed as a business inhibitor, especially by developers and DevOps teams whose core mandates are to deliver code fast. With containers and Kubernetes, security should become a business accelerator, by helping developers build strong security into their assets right from the start.
Look for a container and Kubernetes security platform that incorporates DevOps best practices and internal controls as part of its configuration checks. Such a platform should also employ tools that assess the security posture of the Kubernetes configuration itself, so that developers can focus on feature delivery. The open source KubeLinter tool picks up many security issues in Kubernetes configurations.
Require portability across hybrid environments
With most organizations deploying containers in both on-premises and public cloud environments (sometimes in multiple clouds), security must apply consistently wherever your assets are running. The common foundation is Kubernetes, so make Kubernetes your source of truth, your point of enforcement, and your universal visibility layer for consistent security. Managed Kubernetes services can quicken your organization’s adoption of Kubernetes, but be careful about getting locked into cloud provider-specific tooling and services.
Transform the developer into a security user by building a bridge between DevOps and security
Given that most organizations expect DevOps to run container security platforms, your security tooling must help bridge security and DevOps. To be effective, the platform must have security controls that make sense in a containerized, Kubernetes-based environment. It should also assess risk appropriately. Telling a developer to fix all discovered vulnerabilities that have a Common Vulnerability Scoring System (CVSS) score of 7 or higher is inefficient. Instead, you can improve security significantly by identifying the three deployments that are exposed to the most severe vulnerabilities and showing the developers why these deployments are at risk.
Conclusion
Learning the best practices outlined in this article is a good first step toward improving your application's security. The speed with which new containerized applications are built and deployed as microservices requires security automation in developer workflows. Developers shouldn’t have to slow down to run manual security checks. Organizations should deploy automated security in a DevOps fashion, using security tools that enable an open hybrid strategy for application security. Learn more about how Red Hat Advanced Cluster Security for Kubernetes can provide developers with the security guardrails to help them automate DevSecOps in their pipelines.
Last updated: June 22, 2022