 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
Kubernetes security is an issue for many organizations. In a 2020 report covered by TechRepublic, 94% of respondents revealed that their organizations had weathered a security incident involving their Kubernetes and container environments in the past 12 months. Nearly half (44%) of organizations responded to these events by delaying their applications’ deployment into production.
These findings indicate that security is and needs to continue to be a priority for organizations seeking to deploy containers and Kubernetes applications into production. To make deployment run as smoothly as possible, organizations must understand the security and compliance requirements of the entire application development life cycle. That means integrating security into the three stages of the container lifecycle: build, deploy and runtime.
Vulnerabilities that exist in the build phase of the application development lifecycle could become more difficult and costly to fix during runtime. That’s why it’s important for organizations to focus on container securing during the build phase. They can do so by following a couple of security best practices:
Organizations need to secure their Kubernetes infrastructure before it’s deployed. This effort should begin by making sure that organizations have sufficient visibility over their networks. Help Net Security clarifies the importance of visibility for ensuring container security:
Securing the network through deep visibility and protections is crucial because the network serves as the first layer of defense for keeping malicious actors from reaching the workload. At the same time, the network is the last line of defense, protecting data from being exposed. Between those first and last lines of defense, network visibility and proper network controls can prevent attacks from escalating within internal east-west traffic.
In terms of visibility, organizations need to specifically know what, where and how each resource is being deployed as well as what it can access. They can then leverage networking policies to shape the traffic that flows between pods and clusters. As noted by Kubernetes on its website, pods are non-isolated by default and can, therefore, accept traffic from any source. Fortunately, organizations can restrict these communication flows by creating network policies.
Organizations should also not forget to scan images in the deploy phase. Once they have the results of those scans, they must take action with them. For instance, they can use those scans’ findings in tandem with an admission controller to reject the deployment of an application if the container images lack scanning results or if they suffer from known vulnerabilities.
Last but not least, organizations need to invest in containers security during the runtime phase. Visibility and image scanning are still important for this stage. But there are some important differences that organizations need to keep in mind. StackRox identifies how the process image scanning differs between the build and runtime phases:
The build tools you use to generate and compile your applications can be exploited when run on production systems. Remember, containers should be treated as temporary, ephemeral entities. Never plan on “patching” or altering a running container. Build a new image and replace the outdated container deployments. Use multistage Dockerfiles to keep software compilation out of runtime images.
Along those same lines, the only way organizations can ensure their runtime container security is by making sure that anomalous behavior on the network can’t hide. Help Net Security explains that organizations, therefore, require the ability to examine network packets at layer 7. In so doing, organizations will also be able to avail themselves of deep packet inspection (DPI) and other types of technologies that can help to detect more sophisticated attacks.
Organizations can use the tips provided above to begin securing their containers during the build, deploy and runtime phases of the application development lifecycle. By no means is this article exhaustive in its recommendations, however. Additional security tips can be found here.
Feature image via Pixabay.
At this time, The New Stack does not allow comments directly on this website. We invite all readers who wish to discuss a story to visit us on Twitter or Facebook. We also welcome your news tips and feedback via email: feedback@thenewstack.io.
