If you are considering a microservices-based architecture to scale up your application or website to the next level, Kubernetes can be a great option to manage it. However, this makes layer-wise security even more important. Read on to know some of the rules to keep in mind when planning for security.
Application security of Kubernetes deployments
Microservices architecture with containers and orchestration solutions like Kubernetes is a match made in tech heaven. Kubernetes is a container orchestration platform developed by Google, which is now open source. It allows web hosting of applications at scale, by automating deployment and management of containerized applications.
Ensuring every level of the application is secure ties up any loose ends, a cakewalk for large enterprises. However, you are an SME, just exploring container tech or dabbling with it. Functionality, time to market, and user acquisition are top of mind for you. You think you’ll figure out the security aspect eventually, before deploying the app. Right Wrong
Complexity is inherent in a distributed system, and the interconnections among the different units mean pull one down, pull all down. For hackers, both these factors work very well in their favor. How? They maximize the attack surface.
Large enterprises have an army of security professionals and the budget to employ third-party security experts. As an SME, how do you get your security game on point in this scenario?
Addressing security with containers – an SME perspective
It is crucial to think about security from the very beginning of the project. As a first step, SMEs have to be cautious about the code being built. Let’s say you use a particular programming stack for building microservices architecture – Java. The development teams need to focus on security vulnerabilities that could arise from their particular application in Java and ensure they address them.
As a first step, they need Static Application Security Testing (SAST) tools to conduct a source code analysis. The second step is, while building an application, many third-party software components may be used. To address this particular risk, a Software Composition Analysis Tool is a must. It helps address vulnerabilities identified in third-party components. These are the two main areas an SME should focus on.
As a third step, let’s say you’re using Docker as your container technology. To create your container, make sure you pull out only a hardened image or instance from Docker Hub or any other repository. CIS benchmarks act as a guiding light to ensure images are always secure. For example, this can be one of the checks in securing the Docker image. The Docker image OS instance does not have any default credentials – such as ‘Admin’ as username and password. So, while importing Docker images, CIS controls should be applied to build a secure image. For this, you’ll need different scanners. Qualys has a container or registry image scanner which companies could use to build secure images.
All the applications or software components that have been scanned go into the secure image. After this, you need to make sure that secure code is now deployed in the Docker image. Then you have container image scans. These will scan for any container-related vulnerabilities.
These three security procedures are mandatory in order to ensure that your early cycles or phases of Kubernetes are really secure.
The final step is to look at doing Security Configurations Checks on Kubernetes. Companies can use CIS-defined baselines to help build a highly secure environment altogether.
These four components are required for any organisation – SAST tools, Software Composition Analysis Tools, container image scanners, and running a configuration scan on Kubernetes.
Deciphering cloud offerings and their role in cybersecurity
There may be some third-party solutions where even the Kubernetes configurations could be scanned again. Cloud service providers have services that are specially offered for Kubernetes. For example, GKE is the Google version of Kubernetes; EKS is the Amazon version; AKS is the Azure version. In these sets of services, cloud service providers themselves handle certain security features. They may delegate some security operations to the teams responsible for deployment on production instances. For instance, the Operations team has to go through specific configurations based on their use cases, so they should ensure they are meeting the baselines defined by CIS benchmarks.
Cloud service providers have themselves come up with automation solutions. They provide all the checks to be carried out. The Operations team has to only review these activities and assess if they are really required. The decision must have a strong justification, based on your specific set of operations or use case. The team must raise a comment making a strong case to override the CIS baseline given their scenario. On receiving approval, they should simply ‘hide’ that one given CIS baselines. Again, it’s a baseline, a best practice, and not a mandatory checklist.
After all these activities, there is one more check to be done – Dynamic Application Security Testing (DAST). Solutions like IBM Appscan, Acunetix, and Burp Suite Scanner carry out Dynamic Application Security Testing. These tools do a sort of penetration testing once the application is live or in the staging or Dev instances.
A Cloud Configuration Review is automatically available, with pre-defined checks. You can view a dashboard wherein all the configuration gaps are listed out for the Operations teams. The team will decide on the issues to be fixed.
These are the set of security checklists that organisations having microservices architecture need to look into.
Resource challenges SMEs could face on managing security processes and operations for microservices based applications
As this is open source, the challenges that an SME could face is in terms of:
– Finding the right skillset
– Security tools needed to integrate as part of the DevOps pipeline
More important among these two is the need to provision the security tools required. Otherwise, the entire operation will have to be done manually. The team will have to minutely assess the security aspects of every single activity required for this complete orchestration. For instance, an SME is keen to opt for cloud-based solutions. Their challenge would be when they want to run a containerized image scan or configuration checks. They would need to take a premium license instead of a basic one, to do so.
There are some differentiating factors between various rent licenses offered by cloud service providers. If you have the basic license, you can only deploy or run your application. Unless you are in a premium tier, you cannot run scans nor receive security-related recommendations or best practices.
Also, if you have microservices-based architecture but don’t have the required skill sets in your team, especially in terms of security delivery; there isn’t any security automation in place or you are not relying on DevOps, there is a huge cost incurred to the company. You have to ensure that your entire container fleet is always automated. Additionally, when you find open-source tools, you can make use of them. Wherever there are commercial aspects, you have to look into those areas to ensure that your microservices are secure. So, the challenge is to manage all these activities.
This is the key reason why many SMEs engage third-party security service providers such as Entersoft Security. Their main question is what solutions or tools they can use and whether they can choose a particular cloud service provider to leverage all these features. For instance, there are customers who have allocated a budget for security operations. We then only inform them about the tools required for every phase. This makes it easy for them to opt for a particular vendor and onboard all these tools and security features.
A good thing when customers go for the on-cloud version is that cloud service providers are now simplifying things. They are integrating all the security solutions right in their cloud services themselves. With a simple license, you can enable these features. To illustrate, GKE themselves have some in-built security capabilities, offered with a premium license.
When they go for on-prem, there are many challenges they need to address –through the right skill sets or by engaging a consultant if they are unaware of how to deal with the entire gamut of solutions required for security activities.
The debate on investing in cybersecurity: annual security activity vs. premium licence
As always, both come with their own set of challenges and high points.
If you decide to go on an annual basis, security service providers will charge this activity really high. This is because there is a long list of things they need to deal with. The first one is that just one consultant cannot perform all these activities. They’ll have to deploy skilled resources in each of the relevant areas to deliver it.
The next challenge is that these teams now have to communicate back to their internal teams and make sure they understand everything thoroughly. So, it’s a long and iterative process. It’s not like when we take, for example, a web application penetration testing service. It’s a 7-day activity for Entersoft, max 15-day activity, handled by just 2-3 resources. But when an organisation is trying to use the service provider as an annual activity for delivering security services, it’s not a 1 or 2-day or even a 2-week activity. It’s a lengthy activity based on the maturity of the internal teams. If they are not well-versed with automation and do not possess any security knowledge, then a lot of training and upskilling is required to bring them up to our level. Or else, this won’t provide value for the customer. Even if we deliver this activity, we have to provide all the documentation required. This is to ensure that from the next step forward, they follow the entire set of instructions.
Cloud service providers, on the other hand, charge a minimal fee for these services. Their licences are also priced competitively. If you opt for a particular licence, you get everything in one go. You don’t have to wait for your service provider to come to you, ask about your requirements, look through your architecture, understand your applications or the business.
Once you enable things on the cloud, you will get the entire report at the click of a button. This doesn’t happen in the annual mode where a lot of time goes into understanding the team skillset, the organisation budget, what sort of tools are required, etc. However, this takes a customised approach. The service provider will understand your business, your architecture and suggest what is relevant for you. When you opt for cloud service provider-based container solutions, it doesn’t understand the context. It’ll just give you results and it is your team who should be deciding on those issues which are reported from those particular dashboards. They have to really understand these well to decide whether it is an issue or not.
The speed and reliability are very high with cloud service providers. In the manual approach, when companies opt for an annual interaction or engagement with a security service provider, it’s a highly time-consuming activity. Results cannot be seen in a day or two; possible with cloud service providers.
Entersoft’s tailor made security services for small and medium businesses
Are you a cloud-nascent SME? Unsure what services are available or what security features need to be addressed? You’ve arrived at the right place then.
At Entersoft, our security services are tailor-made for small and medium businesses that have migrated their on-prem applications to on-cloud. We deliver this activity through highly trained and skilled resources certified in specific cloud domains. Since the majority of customers use Kubernetes to manage container fleets, we have candidates certified exclusively in Kubernetes security solutions. The certification is awarded by the reputed Cloud Native Computing Foundation (CNCF) – the only certification required for Kubernetes.
We also have AWS-specific cloud security solutions architect-level resources. Our aim is to bring in more candidates certified in Azure and also VMware certified professionals (VCP).
Secondly, based on security standards and the tools or toolsets we have worked on, our focus is to bring in a methodology to deliver this activity for customers. We demonstrate to them the manual approach and also the automated approach. Our value-add is that by combining the two, we remove all false positives. We provide only accurate results actually required for that particular organization to fix urgent security gaps. This is effective, instead of throwing all the results at them and leaving them confused about what to fix.