ao link
Business Reporter
Business Reporter
Business Reporter
News
Technology
AI & Automation
Communication
Digital Transformation
Industrial Innovations
IoT
Mobile
Smart Cities
Cyber Security Site
Management
Global Agenda Series
Best of Business
Energy
Future of Work
Healthcare
Human Resources
Future of Enterprise
Retail
Customer Experience
Risk Management
Supply Chain
Finance
FS, Banking & FinTech
CFO
Fraud Prevention
Insurance
Payments
Sustainability
ESG
UN SDGs
Sustainability Talks
Responsible Business
Resources
Print Reports
White Papers
Business Learning
Events
Talk Shows
Supply Chain
Upcoming Episodes
On-Demand
Hosts
Speakers
Sponsors
Digital Transformation
Upcoming Episodes
On-Demand
Hosts
Speakers
MarTech
On-Demand
Hosts
Speakers
FinTech
Upcoming
On-Demand
Host
Speakers
teiss (Cyber Security)
Upcoming Episodes
On-Demand
Hosts
Speakers
Sponsors
Jobs
Search Business Report
My Account
Remember Login
Register|Reset Password
My Account
Remember Login
Register|Reset Password
News
Technology
AI & Automation
Communication
Digital Transformation
Industrial Innovations
IoT
Mobile
Smart Cities
Cyber Security Site
Management
Global Agenda Series
Best of Business
Energy
Future of Work
Healthcare
Human Resources
Future of Enterprise
Retail
Customer Experience
Risk Management
Supply Chain
Finance
FS, Banking & FinTech
CFO
Fraud Prevention
Insurance
Payments
Sustainability
ESG
UN SDGs
Sustainability Talks
Responsible Business
Resources
Print Reports
White Papers
Business Learning
Events
Talk Shows
Supply Chain
Upcoming Episodes
On-Demand
Hosts
Speakers
Sponsors
Digital Transformation
Upcoming Episodes
On-Demand
Hosts
Speakers
MarTech
On-Demand
Hosts
Speakers
FinTech
Upcoming
On-Demand
Host
Speakers
teiss (Cyber Security)
Upcoming Episodes
On-Demand
Hosts
Speakers
Sponsors
Jobs

Kubernetes and DevSecOps

Technology
Linked InTwitterFacebook

Richard Collins, Head of Product, Jetstack explains how Kubernetes and DevSecOps are shifting left to drive secure digital transformation

 

If container-based architectures are the future of enterprise application development, then Kubernetes sits right at the vanguard. As a de facto standard for container orchestration, the technology is offered across all major cloud platforms today, with a vast and growing ecosystem driving productivity, cost, operational and many other benefits for end users. But as with most technologies, its growing popularity has also led to increased scrutiny from threat actors.

 

If organisations want to protect their critical cloud workloads from these emerging risks, security teams will need better visibility and control of the machine identities in their Kubernetes environments. Machine identities, otherwise known as keys and certificates, secure all machine-to-machine communications and form the basis of trust in all digital transactions. From here, security teams must nurture closer partnerships with developer teams, to “shift left” and build seamless security into existing workflows.  

 

The story so far

 

Gartner estimates that by 2025, more than 85% of global organisations will be running containerised applications in production, up from less than 35% in 2019. The shift to this more portable and efficient virtualisation technology has in turn spurred demand for a way to manage, deploy and scale it.

 

This is where Kubernetes comes in. Now maintained by the Cloud Native Computing Foundation (CNCF), it’s been the go-to container orchestration platform for over half a decade. According to CNCF data from 2021, 83% of its community organisations are using Kubernetes projects in production, 300% growth since 2016.

 

Why is it so popular? Because with Kubernetes, multiple areas of the business benefit. Operations teams like the improved resource utilisation, while developers love shorter software development lifecycles. For finance and business leaders there are reduced public cloud costs and better support for strategically critical digital transformation initiatives.

 

Perhaps most crucially from a technology standpoint, Kubernetes is a highly efficient way to maintain core infrastructure which is great for development teams as they can focus application innovation while relying on automation to manage machine identities and other pre-defined security policies.

 

Expanding the attack surface

 

Otherwise known as keys and certificates, machine identities provide a foundational layer of security and trust for Kubernetes environments, and across the IT and cloud ecosystem as a whole. By securing machine-to-machine communications using TLS based encryption standards, organisations can mitigate serious attempts to compromise containers, spread malware and steal information.

 

Yet without full visibility and control, managing these identities can become extraordinarily complex given the highly distributed and dynamic nature of Kubernetes environments along with the huge increase in workload activity that comes from increased automation and development. Traditional on-premises network security tools which mark security boundaries around physical machines are simply too inflexible to protect the hybrid and multi-cloud, highly distributed world of Kubernetes clusters.

 

Workload misconfiguration is the number one security risk when deploying workloads with Kubernetes and the bad guys have taken note. Attacks targeting misconfigurations and authentication weaknesses are mounting. In February, researchers spotted a cryptojacking campaign from infamous cybercrime gang TeamTNT in which attackers stole container SSH machine identities to spread across Kubernetes clusters. There have even been incidents involving nation state actors, targeting hundreds of US and European organisations via their Kubernetes environments.

 

Security automation for developers

 

To mitigate these risks, security teams must lead from the front, by finding ways to apply automated security controls for their colleagues in development. The goal is to gain centralised visibility of all  machine identities across Kubernetes clusters and workload certificates, rather than trying to secure each project one-by-one. This can be achieved using open-source tools like cert-manager, which automates the process of obtaining and renewing certificates and works in the background to ensure each certificate is always configured correctly and valid and up-to-date.

 

However, as Kubernetes clusters grow then scaling multiple instances  a tool like cert-manager to run in each cluster can become difficult to manage. Security teams then need to employ a platform solution that provides widespread visibility across all the machine identities and will identify misconfigurations that can be remediated fast. This will help to reduce the cloud attack surface by minimising the opportunities for cyber-criminals and state-backed attackers to take advantage of gaps in protection.

 

However, finding the right tools is only the first step. DevOps culture often side-lines security in favour of time-to-market considerations. The perception from developers—and sometimes the reality—is that consulting security teams will only slow down projects.

 

To overcome such concerns, security experts must engage closely with their counterparts in development and offer automated security tooling that slots neatly into existing processes. Some 68% of organisations claim to be implementing such DevSecOps approaches, and with good reason. They promise to deliver the best of both worlds – rapid time-to-value and high quality, more secure software.

 

Education is key

 

Progress on this front won’t come overnight—after all, cultural change of this sort can take time. The key to success will be driving education and awareness among development teams and encouraging cross team collaboration and knowledge sharing on security best practices.

 

Here, the security team once again has an important role to play. The function must work harder to explain, in language that developers understand, why building in protections from the early stages of the development cycle, or shifting left, needn’t slow the pace of innovation. In fact, when it comes to secure machine identities, it will work to burnish the credentials of developers.

 

Kubernetes is here to stay. But as its popularity grows, so will attempts to probe for vulnerabilities and security gaps. Automated machine identity management is foundational for cloud native security and offers a critical bulwark against such risk. It provides a first-step opportunity to drive true DevSecOps and increase confidence in digital transformation.

 

Richard Collins is Head of Product at Jetstack

Main image courtesy of iStockPhoto.com

Digital Transformation
Linked InTwitterFacebook

Most Viewed

Business Reporter

23-29 Hendon Lane, London, N3 1RT

23-29 Hendon Lane, London, N3 1RT

020 8349 4363

Cookie Policy
Terms of Business
17 Global Goals
Campaign Schedule
Lead Generation Media Kit
Sustainability Report
Contact Us
Privacy Policy
Terms and Conditions
Breakfast Briefing Media Kit
Media Kit
BR Studio
Content Guide
Traffic Drivers
Case Study

© 2024, Lyonsdown Limited. Business Reporter® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543