Next Cloud Security Challenge: Containers and Kubernetes
The increasing use of containers and orchestration tools, such as Kubernetes, are driving demand for new cloud security and application deployment processes, according to research from the Cloud Security Alliance presented Monday at the RSA 2020 conference in San Francisco.
The goal is to build security into the application development cycle as early as possible, says John Yeoh, global vice president of research at the not-for-profit alliance.
“As we have seen with the use of containers and micro-services and compliance, when you further segment things off, there’s a functionality benefit from that,” Yeoh tells Information Security Media Group. “But you also have a lot more pieces to secure or to make compliant. So the challenge is how do we grant proper access control to containers and micro-services? How do we make these environments compliant?”
IT and developer teams are deploying Kubernetes and creating many more containers – the virtualized applications that are critical to DevOps – to keep up with demand for new application deployments. But companies are still struggling with a number of security issues, especially access control, Yeoh notes.
Containers provide a unique layer of customization for developer teams as they create new applications. But some container environments will be used to host the most sensitive data, so the challenge is that default security settings and access controls may not be appropriate, Yeoh says.
In recent years, attackers sometimes have been able to gain access to one container environment and pivot to others, leading to data breaches, he says.
“We see breaches and incidents all the time when it’s compromised credentials or something really silly like, ‘Why does the attacker have that much access when they penetrate one environment?'” Yeoh says. “If we can address that and limit that, we’re going to be much better off.”
Better security starts with the development stage of any IT process, Yeoh says. Instead of allowing bad code to be deployed, organizations must have checks within their development processes and the ability to roll back code with security problems before an app moves into production.
“You are also able to automate a lot of these [checks] as well, and you can almost create a self-healing architecture, where it rolls back, is fixed and then moves forward,” Yeoh says. “We’re seeing more and more people do that in cloud environments. It’s a way to make sure that developers are held accountable. You see security teams whose jobs have changed to where they are creating checklists [to ensure applications] are securely developed.”
Cloud Security, Beyond Code
The Cloud Security Alliance hosted a number of sessions at the RSA 2020 conference on Monday that touched on privacy and the cloud. Speakers also addressed how new regulations, such as the California Consumer Privacy Act and the New York Shield Act, are changing how companies are approaching their cloud strategies.
And while new laws and regulations are a challenge, attorney Aravind Swaminathan, global co-chair of the cyber, privacy and data innovation practice at Orrick Herrington & Sutcliffe LLP, says that a bigger issue among his clients is understanding how cloud environments work when users don’t own the infrastructure.
“There’s tons of value in the cloud, but you have to understand the risks,” Swaminathan tells ISMG. “We have recently seen individuals compromise the cloud environment when we thought we had protections like multifactor authentication and certain controls, and attackers were able to make end-runs around those. … And that’s the challenge.”