The race to secure Kubernetes at run time
- 18 November, 2021 06:15
For software developers who primarily build their applications as a set of microservices deployed using containers and orchestrated with Kubernetes, a whole new set of security considerations has emerged beyond the build phase.
Unlike hardening a cluster, defending at run time in containerised environments has to be dynamic: constantly scanning for unexpected behaviours within a container after it goes into production, such as connecting to an unexpected resource or creating a new network socket.
Although developers now tend to test earlier and more often — or shift left, as it is commonly known —containers require holistic protection throughout the entire life cycle and across disparate, often ephemeral environments.
“That makes things really challenging to secure,” Gartner analyst Arun Chandrasekaran told InfoWorld. “You cannot have manual processes here; you have to automate that environment to monitor and secure something that may only live for a few seconds. Reacting to things like that by sending an email is not a recipe that will work.”
In its 2019 white paper 'BeyondProd: A new approach to cloud-native security', Google laid out how “just as a perimeter security model no longer works for end users, it also no longer works for microservices,” where protection must extend to “how code is changed and how user data in microservices is accessed.”
Where traditional security tools focused on either securing the network or the individual workloads, modern cloud-native environments require a more holistic approach than just securing the build. In that holistic approach, the host, network, and endpoints must be constantly monitored and secured against attacks. This typically includes dynamic identity management and access controls to network and registry security.
The runtime security imperative
Gartner’s Chandrasekaran identified four key aspects to cloud-native security:
- It still starts with securing the foundations by hardening clusters.
- But it then extends into securing the container runtime and ensuring sufficient monitoring and logging is in place.
- Next, the continuous delivery process has to be secure, which means using trusted container images, secure Helm charts, and configurations that are constantly scanned for vulnerabilities. On top of this, privileged information has to be secured by effectively managing secrets.
- Finally, the network layer must be secured, from Transport Layer Security (TLS) to the application code itself and any cloud security posture management that is in place, by effectively setting the ideal state and constantly looking for deviations from that state.
In a 2021 InfoWorld article, Karl-Heinz Prommer, technical architect at the German insurance company Munich Re, identified that “an effective Kubernetes security tool must be able to visualise and automatically verify the safety of all connections within the Kubernetes environment, and block all unexpected activities.
"With these runtime protections, even if an attacker breaks into the Kubernetes environment and starts a malicious process, that process will be immediately and automatically blocked before wreaking havoc.”
Meet the runtime security start-ups
Naturally, the major cloud providers — Google Cloud, Amazon Web Services, and Microsoft Azure — are working hard to bake this sort of protection into their managed Kubernetes services. “If we do it properly, application developers shouldn’t have to do a lot of anything, it should be built into the platform for free,” Google VP Eric Brewer told InfoWorld.
That being said, even these cloud behemoths cannot possibly hope to secure this new world alone. “No single company can solve these problems,” Brewer said.
Now, a rapidly growing cohort of vendors, start-ups, and open source projects is emerging to try and close this gap. “There is a growing ecosystem of start-ups in this space,” Chandrasekaran said. “Basic aspects of hardening the OS or securing the runtime are becoming a little commoditised, and the major cloud providers offer this baked into the platform.”
The opportunity for start-ups and open source projects therefore tends to centre on more advanced capabilities, like cloud workload protection, security posture management, and secrets management, often with “smart” machine-learning-powered alerting and remediation capabilities layered on top as a point of differentiation.
Take Deepfence, which was cofounded in 2017 by Sandeep Lahane, a software engineer who previously worked at FireEye and Juniper Networks. Deepfence focuses on what happens during run time by embedding a lightweight sensor into any microservice that can “measure your attack surface, like an MRA scan for your cloud assets,” Lahane told InfoWorld. Deepfence is in the business of “monetising the remedy for that pain, the runtime protection to deploy targeted defences,” he said.
Deepfence open-sourced its underlying ThreatMapper tool in October 2021. It scans, maps, and ranks application vulnerabilities regardless of where it is running. Now, the startup is looking to build out its platform to cover the whole range of runtime security risks.
Sysdig is another emerging vendor in this space, having created the open source runtime security tool Falco.
Similar to ThreatMapper, Falco focuses on detection of unusual behaviour at run time. “Falco makes it easy to consume kernel events and enrich those events with information from Kubernetes and the rest of the cloud-native stack,” its GitHub page reads. “Falco has a rich set of security rules specifically built for Kubernetes, Linux, and cloud-native. If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity.”
“I realised the world was changing and the techniques we were using before were not going to work in the modern world,” Sysdig CTO Loris Degioanni told InfoWorld.
“Packet detection doesn’t cut it when you don’t have access to the network any more. So we started by reinventing what data you can collect for containers by sitting on a cloud endpoint and collecting system calls, or more simply put, the process of an application interacting with the outside world.”
Degioanni compared runtime security to protecting your own home, which starts with visibility. “It is the security camera for your containerised infrastructure,” he said.
Founded in 2015, Israeli startup Aqua Security is also underpinned by an open source project, Tracee. Based on eBPF technology, Tracee allows for low-latency security monitoring of distributed apps at run time, flagging suspicious activity as it occurs.
“The moment I saw that containers package everything inside and the operations people click a button to run, for me it was obvious to also package security into that, so as a developer I don’t have to wait,” said Aqua CTO Amir Jerbi. Developers “are not security professionals, and they don’t know how to protect against sophisticated attacks, so they need a security layer that is simple where they can declare their simple needs. This is where runtime protection comes in.”
Other runtime security providers
Other companies operating in this space include Anchore, Lacework, Palo Alto Networks’ TwistLock, Red Hat’s StackRox, Suse’s NeuVector, and Snyk.
Open source is crucial for developer buy-in
One common factor among these companies is the importance of open source principles. “Customers in this space care about open source and don’t want to deploy entirely proprietary solutions,” Gartner’s Chandrasekaran said.
“They want to work with companies that are active participants in open source communities and providing commercial solutions on top of open source software, because that is the foundation of cloud-native technology.”
It’s a sentiment echoed by executives at all of the start-ups InfoWorld spoke to. “In the cloud-native community, a lot of the focus is on open source. They appreciate when vendors have a big footprint and contribution in open source, so they can try things, see what you are doing, and contribute back,” Deepfence’s Jerbi said. “We are a commercial company, but many of those products are based on open source.”
For Phil Venables, CISO at Google Cloud, the open source approach to cloud-native security is critical to solving such a complex problem.
“We are increasingly like a digital immune system,” he told InfoWorld: collecting intelligence from our own internal systems, large enterprise customers, threat hunters, red teams, and public bug-bounty programs. “That makes us primed to respond to any vulnerability and push things back into open source projects, so we have a wide aperture to find out about things and respond to them.”
This open, transparent approach to runtime security will be critical in a future where distributed applications come with uniquely distributed threats.
The cloud giants will continue to bake this protection into their platforms, and a new class of start-ups will fight to offer comprehensive protection. But, for now, the path forward for practitioners tasked with securing their containerised applications through production remains a difficult one to navigate.