Kubernetes Security vs. Security Theater

Physical Security Checks

When I was a kid my father worked for the government and that sent us around the world to some interesting places. One of the places we lived had a huge compound for the United States Embassy. Inside this compound was the ambassador's house, office buildings for people to get their work done, and a place for the Marines who lived on the embassy grounds to live, workout, and run some exercises. There was a club for the US Citizens to come eat American food and swim in a pool. We even had a place to rent VHS tapes (which makes me giggle a bit to remember).

You can imagine an embassy is built to be a pretty secure place. To drive a car anywhere near the embassy you had to stop and have someone check your credentials. On the way in, even if you were a diplomat, you had to have the bottom of you car checked to make sure no one had affixed a bomb to it. Once you parked you still had to have bags checked and empty your pockets before passing through a metal detector, a bit like going through an airport.

At the time it made me feel pretty good about being inside. My physical security was protected due to these measures.

When Security Might Really Just be Security Theater

But then I heard about one of the Marines on the embassy grounds finding holes in the system. He managed to hide a device under a car that no one caught, he also managed to climb the walls in a place where there was no surveillance.

While I actually have no idea if a Marine ever actually did this or not, I heard the story and it made the "security" of the place feel a lot more like "security theater". That is to say, I'm not sure if the measures in place were actually protecting anything or if they were there just to make us feel like we're being protected. A part of me wanted to put this story out of my mind and just ignore it—most people probably couldn't do what he did right?

Unfortunately "ignore the problem and hope it really isn't a problem," is a... really bad security posture.

Kubernetes Security vs. Security Theater

If your company is running at any meaningful size or scale, chances are you have some security tools in place. Often it feels like those security measures are more security theater than real security. Someone requires you to run an antivirus on your computer, but you hate the idea, so you run the least possible checks and just assume a virus won't be a problem on your Linux desktop (you might be right, but you're still just running on hope!).

It's also very common for an organization to have one or several cloud, Kubernetes and container security tools, but "running" the tool is just security theater if it isn't utilized in the right way. Saying, "we have a way to scan for problems," is a bit like saying, "they used a mirror to check under my car when I drove in. "Sure, there was a security measure "used", but was it really—is anyone actually paying attention?

Meet Engineers in Their Workflow for Actual Enforcement

This is why using tools that integrate with existing workflows is so important. Engineers are used to a QA workflow in their deployment process, so meet them there with Kubernetes security as one more piece of QA. Engineers are used to getting paged when production is down, so meet them there with alerts on high-risk security problems.

Engineers are used to checking Jira or some other issue tracking tool to know what's next to work on. Set up automation to integrate where people already work, so security issues in your Kubernetes setup are addressed in a workflow people already understand.

If you have "Yet Another Dashboard" that doesn't integrate anywhere, chances are you have implemented some excellent Kubernetes security theater at your company. And you'll feel good about things until a real threat comes along. If you have tooling that integrates in a way people understand, in the workflows they already use, you might get to a real sense of practical security. You might stop the problem before someone from the outside breaches the walls to show you just how real the threat can be.

Fairwinds Insights integrates into your CI/CD workflow, it integrates into your alerting system (heck, Pagerduty is a customer—so you know the integration works), and it integrates into your issue tracking system. Sane defaults out of the box, with incredible opportunity for automation and extensibility makes it a Kubernetes security platform you'll actually use—rather than one more expensive way to security theater.

Interested in using Fairwinds Insights? It’s available for free! Learn more here.

The Top 5 Kubernetes Security Mistakes You Are Probably making