As Kubernetes adoption has continued to grow and we’ve seen Kubernetes increase in size and complexity, we’ve also seen a shortage of Kubernetes expertise and Kubernetes security experts in particular. To help organizations adopting Kubernetes understand where they are in terms of maturity (because there’s a lot to learn), we recently introduced the Kubernetes Maturity Model, which highlights some of the important activities to go through as you adopt Kubernetes. It’s also important to remember that Kubernetes is still a young technology, even though Kubernetes itself and its ecosystem are maturing rapidly. To address the challenge of managing Kubernetes security, a new category — known as Kubernetes Security Posture Management (KSPM) — has emerged.
Why the focus on KSPM? Essentially because it’s easy to overlook security or assume it’s built in by default. When organizations get started with K8s, their main goal is typically to get applications deployed quickly, and they rarely give a lot of thought to the security considerations involved. When the primary goal is to get up and running to gain agility and accelerate time to market, it can leave a real gap when it comes to cloud native security.
Cloud native infrastructure isn’t just about running applications in the cloud. It’s also about how you build them. Cloud native technologies (microservices, containers, and Kubernetes) enable organizations to build and run scalable applications in modern, dynamic cloud environments and help companies build and run applications on cloud native architecture. This shift helps them bring innovations to market faster and meet changing customer demands and expectations.
“Cloud native isn’t about where you operate, it’s how you operate.”
– Joe Beda, Principal Engineer, VMware and co-creator of Kubernetes
While the benefits are many, cloud native also makes it more important than ever to build security into your environments and applications from the start. Unlike traditional infrastructure, you can’t bolt security on late in the game (that doesn’t tend to work well either, though). To build security in from the start means that you have to make sure that you have correct and consistent configurations, that you have set your Kubernetes environment up to be secure from the start (it isn’t secure by default), and that your teams are following best practices.
The reality, though, is that your developers are (probably) not Kubernetes experts, and you don't want them to be Kubernetes experts. You want your developers to focus on writing code and building applications. That’s why it's important to give them the information they need (and only the information that they need), information that is relevant to their application and can help them make good decisions. At the same time, it’s also important to provide a high level of visibility between the security and operations teams around how to set policies regarding what is appropriate (or not), both from a security and compliance perspective. We talk about DevSecOps a lot, but security teams are still frequently left out of K8s conversations. The unenviable result is that Sec teams have to work hard to catch up with K8s conversations and requirements.
Configuring K8s involves a lot of different parameters, set by many different users, which creates a lot of confusion and inconsistency. While handling configurations can be confusing, some of the basic principles of security remain the same. For example, following a policy of limiting permissions according to the principle of least privilege applies to Kubernetes clusters and users helps minimize security risks. The challenge is implementing those principles and policies consistently across Kubernetes clusters. Creating standardized and customized policies is an important first step, and creating best practices for your environment is also critical, but to really make those policies stick, you need to enforce them. Enforcing your policies automatically helps your organization avoid security incidents, downtime, and inconsistencies across multiple clusters and users.
So, what exactly is Kubernetes Security Posture Management (KSPM)? Similar to Cloud Security Posture Management (CSPM), which automates secure cloud infrastructure configuration, KSPM automates secure Kubernetes infrastructure configuration. It’s important to integrate KSPM throughout the entire process, so your applications and containerized workloads are deployed securely from the start. If you involve security teams in the beginning, they can help write secure configurations, get visibility into the configuration issues, provide relevant security feedback early in the development process, and make sure that actionable and relevant remediation information gets to the developers so they can fix issues more easily.
Applying policy from the start helps you prevent issues from happening and enable consistent security at scale by enabling more of your team — across dev, sec, and ops — to implement security without them having to figure out how to do it properly through manual trial and error. KSPM enables secure infrastructure while enabling rapid time to market, reducing security and compliance risks from the beginning and throughout the SDLC.
Fairwinds Insights helps you secure your Kubernetes cluster configuration, use policies to apply least-privilege access automatically, continually scan and secure containers to find and remediate new vulnerabilities, and maintain compliance with external standards. Fairwinds Insights also provides dozens of out-of-the-box policies that you can apply quickly, enforcing guardrails across a fleet of clusters, an individual cluster, or as granular as individual namespaces or workloads. The software can also accept any existing Rego based policies created for use with Open Policy Agent. We created Fairwinds Insights based on our long experience helping organizations of all sizes deploy Kubernetes successfully, built with our open source tools and hard-won knowledge from building implementations that are secure, reliable, and efficient.