Kubernetes security has been in the news this week, highlighting the need for a fresh approach to container protection
Cybersecurity practitioners operating in cloud environments are increasingly facing complex security challenges. Last week’s discovery of critical vulnerabilities within the Kubernetes security environment brings the need to re-evaluate and fortify cloud environments again to the forefront, especially around containers and their orchestration platforms.
Kubernetes Security in the News
Over the last week, cybersecurity has seen several new vulnerabilities. A particularly urgent matter revolves around three high-severity, unpatched security flaws discovered in the NGINX Ingress controller for Kubernetes. An ingress is an API object that provides HTTP and HTTPS routing to services and allows security teams to define rules for inbound traffic to reach cluster services and can also provide load balancing, SSL termination, and name-based virtual hosting.
These vulnerabilities could enable a malevolent actor to siphon off secret credentials from the cluster. Among these, CVE-2022-4886 stands out, allowing for the bypassing of ingress-nginx path sanitization to procure the credentials of its controller. Additionally, CVE-2023-5043 and CVE-2023-5044 have been identified, the former leading to arbitrary command execution and the latter enabling code injection via annotations. Exploiting these flaws poses an obvious significant risk, as adversaries might inject arbitrary code into the ingress controller process.
These vulnerabilities are more than mere blips in the cybersecurity radar; they symbolize the inherent risks in modern cloud-based environments. For further insights on these vulnerabilities, please visit the NGINX advisory page.
The Rise (and Foibles) of Container Usage
Organizations are increasingly drifting away from traditional, monolithic architectures in favor of containers for their flexibility, scalability, and efficiency. Traditional security measures in containerized environments, such as rendering containers immutable to prevent alterations, often fall short due to their limited scope and impact. While they may offer some protection, these strategies can introduce significant operational challenges. Similarly, methods like blocking network traffic can help guard against certain threats, but they also risk hindering legitimate communications and disrupting essential workflows. The short lifespan of containers complicates traditional network analysis and endpoint detection, and log management systems struggle to track transient workloads effectively. Inter-container traffic is difficult to monitor with standard network visibility tools due to its volume and complexity, and there is a clear call for more than a default cloud protection solution.
As Kubernetes evolves from its early sandbox phase to critical commercial deployments in sectors like financial services and e-commerce, the necessity for in-depth application-layer security and visibility has escalated, becoming essential. Regrettably, the majority of existing Kubernetes security solutions, both open-source and commercial, are primarily network-layer oriented. This approach, while important, often neglects the application layer, leaving a gap in security for business-critical functions and exposing vulnerabilities to application-specific threats.
A Fresh Approach to Container Security
By leveraging a different approach that focuses on the behavior of containers, it’s possible to greatly increase the security of Kubernetes environments.
Behavioral baselining monitors the normal operating patterns of containers, and any deviations from these approved baselines are flagged in real-time, enabling immediate response to potential threats. Instant notifications about suspicious activities facilitate swift action, and security teams must be able to not only detect but also respond to threats, using tools to minimize manual intervention requirements.
While it is important to keep an up-to-date catalog of containers and their purposes, recognizing how those containers interact within the cloud environment is just as critical. Implementing strict network policies and segmentation, ideally at a granular level with microsegmentation best practices and focusing on securing applications from within the containers, is all part of embracing an effective layered defense strategy.
Naturally, it is still important to encrypt “data at rest” ( such as on a hard drive, SSD, or a cloud storage service) and “data in transit” (data actively moving from one location to another, such as across the internet or through a private network). Encryption at rest protects against someone accessing the physical storage to extract data. Encryption in transit defends against someone trying to intercept the data as it moves across the network.
A Future for Improved Kubernetes Security
Container usage isn’t just a trend but a staple in IT infrastructure, and understanding and adapting to the unique security challenges it presents is crucial. Traditional security products and strategies may offer limited relief, but there are innovative solutions (like the TrueFort Platform’s Kubernetes security tools) that represent a significant leap forward in protection.
We believe that our approach to Kubernetes security distinguishes itself by effectively integrating process, identity, and network activities within a robust behavioral profile for each containerized application. By establishing this profile, any deviation can be swiftly detected, allowing for the implementation of microsegmentation policies to prevent unauthorized lateral movement. This methodology provides security teams with a unified, comprehensive view of application behaviors and threat incidents across various environments, ensuring enhanced security at every layer.
As team leaders in the cybersecurity field, it’s essential to remain vigilant, proactive, and adaptive. Embracing solutions that align with the dynamic nature of container environments will be key to navigating these challenges successfully.
A more secure, containerized future with all the benefits that it affords is, however, possible.