Securing Kubernetes From Within and Without

Overlaying security solutions to protect converged infrastructure and cloud-native environments can be tricky.

Enterprises using Kubernetes in hybrid cloud environments are reaping the benefits of development velocity and scalability, but they are also finding that traditional security measures are not able to address the challenges of cloud-native applications built of containers and hosted on virtualized infrastructure. Especially when migrating traditional software to containers and hybrid cloud environments, enterprises are at a loss for how to secure their applications.

On the one hand, virtualized infrastructure is difficult to surround with traditional firewalls that require hardware choke-points to restrict access to the internal workings of web applications. Yet, on the other hand, containerized microservices are exposed to unique vulnerabilities, so as the implicit level of trust required between microservices, and the rapidity with which containers are deployed, these microservices might be exploited to compromise the entire application cluster.

Looking at this challenge, it becomes apparent that this is a situation new to software. As a new kind of security challenge, one born out of the need for flexibility and scale, security teams must go beyond existing security paradigms to find new solutions and consider how to simultaneously secure north-south and east-west traffic in web applications.

Extending Security Across Containers, Kubernetes, and Service-Mesh Architectures

Traditional firewalls were excellent at protecting the digital perimeter of an organization by following the outline of physical hardware. North-south traffic entered and left online applications through clearly defined paths. Today, virtually defined storage and compute, and rapidly scalable containers and microservices make the perimeter of web-native applications challenging to define, and impossible to control through simple hardware gates.

Likewise, east-west traffic between components of a web-native application can be difficult to manage as DevOps speeds drive multiple updates a week or even multiple updates a day. Amazon famously deploys new code every 12 seconds. At these development speeds, it can be difficult to detect and remediate security vulnerabilities in containers and microservices, especially if they’ve already been deployed.

To Protect Against Threats, Foreign, and Domestic

If hardware alone can no longer protect data because that data is sprawled across infrastructure and evolving too quickly, one must look toward solutions that can morph to follow the changing shape of software in production.

Next Generation Firewalls (NGFWs) go beyond traditional firewalls by adding network inspection and intrusion prevention capabilities. NGFWs make no assumptions about what ports or traffic are appropriate and apply deep scans of packets and identity-based security, among other techniques, to secure network traffic to the perimeter of an application and even beyond.

And yet, Next Generation Firewalls will still miss the kind of subtle malicious traffic that can travel between servers, containers, and microservices already within the security perimeter of the NGFW. As hackers turn more toward exploiting flaws in the design of applications, enterprises also need a solution that can continuously monitor east-west traffic and enforce security rules on that traffic.

Enterprises looking to migrate their applications to a hybrid cloud model are rightfully concerned about the challenges and complexity such an endeavor represents. Existing tools, processes, and practices were not engineered for the on-demand, elastic nature of the cloud. It has become increasingly challenging to define, monitor, and enforce security for the entire stack, so enterprises are in dire need for a security solution tailored for this new environment.

The answer is, therefore, to combine complementary solutions: next-generation firewalls with east-west traffic monitoring and security policy enforcement. In this way, enterprises can protect web-native applications from threats foreign and domestic, as it were, more comprehensively than when using only one of these security solutions.

This article was originally published here