Kubernetes and Cloud-native Security Threats

Kubernetes and Cloud-native Security Threats
Published on
3 min read

Authored by Kevin Reed, CISO, Acronis

Kubernetes is the latest disruptive technology in the cloud-native world. In the last decade, microservice architecture has focused on creating agile and reliable small independent services. Further, containers have made microservice architecture successful as they are a natural fit with scalability and portability.

As the number of containers increased and spread over data centers, it became impossible to manage containers in the cloud. Kubernetes has evolved as the de facto container management platform and made it possible for cloud-native microservice applications to run quickly on the cloud.

All major cloud providers offer Kubernetes as a managed service, where you can click a couple of buttons to create a cluster and get started. In addition, it is possible to deploy and manage Kubernetes in on-premises data centers as it is an open-source project.

Kubernetes increases software scalability and availability while optimizing IT costs. It also offers flexibility in multicloud environments. However, Kubernetes is not secure by default— and it comes with various novel security risks.

This article will first discuss the cloud-native attack surface and its challenges. Then we will focus on Kubernetes security events and the latest attacks.

Cloud-native attack surface and challenges

Cloud-native modern architecture is made up of multiple layers, including applications, container orchestrators, and infrastructure. Applications consist of small and portable containers that run with many instances. Orchestrators like Kubernetes manage the container instances and distribute them over the infrastructure.

In the infrastructure layer, there are nodes, networks, and storage from cloud providers. Each layer of this cloud-native architecture creates a novel attack surface for threats. The top five potential challenges concerning attack surfaces are as follows:

  1. Misconfiguration and exposures

Cloud infrastructure, Kubernetes, and microservice applications are highly configurable with a broad set of options. A regular day for a cloud-native application operator consists of managing the configurations — a challenging task, since the wrong configuration could make the applications unavailable. Similarly, setting the wrong network policy could expose sensitive database instances to external systems. Therefore, it is critical to have some guardrails for misconfigurations.

  1. Unclear security perimeters

Cloud-native applications and containers create an interdependent stack of multiple components. For instance, it is typical to use cloud services, virtual nodes in the datacenters, and networks simultaneously. Therefore, defining a security perimeter and protecting it isn’t easy. It requires a well-defined architecture and security concept to protect cloud-native applications running on the cloud.

  1. Container security

Containers are small packages with operating systems, application executables, and dependencies. One of these container components might well carry vulnerabilities. It is critical to have scanned and secure container images, considering that they run on the scale of hundreds of instances in a regular Kubernetes cluster.

  1. Runtime security

Even if you secure cloud services and scan containers for vulnerabilities, there are threats in the runtime phase. In the runtime phase, applications packaged as containers run on the virtual nodes. It is critical to ensure that applications do not expose data while they run, and that they have limited access to external systems.

  1. Observability

Flexibility and scalability are the main benefits of modern cloud-native applications. However, monitoring distributed applications and creating a holistic observability of the whole stack is a critical requirement. Without observability, it is impossible to know the exact status of applications, Kubernetes clusters, nodes, and infrastructure.

Related Stories

No stories found.
logo
DIGITAL TERMINAL
digitalterminal.in