Shauli Rozen, ARMO: “Kubernetes security is a tale of two approaches which don’t “talk with each other”
If you are using or are planning to use cloud-native applications, most likely you are already utilizing an open-source system, Kubernetes. But its flat network model creates serious security concerns.
Over the last couple of years, countless developers have adopted Kubernetes to help manage cloud-native applications. Unfortunately, many companies still struggle with securing this new environment. Some organizations went ahead and got ahold of various security tools to protect their network but according to experts, that’s not enough.
To discuss the ins and outs of Kubernetes Security, we invited Shauli Rozen, CEO & Co-Founder of ARMO, a company specializing in Kubernetes security products.
How did the idea of Armo originate? What has your journey been like so far?
ARMO is a Kubernetes security company that is building Kubernetes Security products made for developers.
Our patented technology and tools fit natively within the CI/CD pipeline and existing development tools, assuring DevOps, DevSecOps, and developers that every Kubernetes’s cluster, container, and microservice is born and remains secure, from development to production and from configuration to run-time, every time.
The idea came as we were speaking with many CISOs and security experts about Kubernetes security, and realized that their immediate reaction is always “I need to bring my development organization into this discussion”, and as we continued the discussion and engaged with more DevOps leaders, security and cloud architects, we realized that this is the only way to build secure Kubernetes environments – if it is done by the dev team with developer-driven design.
The journey for developer-driven security has been exciting and refreshing, giving our customers and us a new look into how security can be done in a native way, within the development tools. Kubescape, our open source project, has been growing crazy fast, with more than 5K GitHub starts in five months and tens of thousands of downloads, it is great to see it taking off and being used in practical scenarios.
Can you tell us a little bit about what you do? What is Kubernetes security?
The story of Kubernetes security is a tale of two approaches which, in most cases, don’t “talk with each other.”
- Kubernetes security posture management (KSPM) – the process, methods, and controls of scanning, finding, and fixing software misconfigurations and vulnerabilities as early as possible (during the CI pipeline), to prevent them from reaching production. The objective here is to minimize the attack surface and to harden the K8s environment as much as a possible.
- Runtime protection – the process, methods, and controls of detecting and preventing cyberattacks when they happen (in most cases – during production). The objective here is to maximize the resiliency of the K8s environment to cyberattacks.
Each of these categories has many issues and challenges, and they are far from being enough to protect against cyber-attacks. And most certainly, you need to use both to gain maximum protection. In most cases, they are too complex and cumbersome for developers and are not designed and built like developers are used to.
But probably the biggest gap today is that both solutions don’t “talk” to each other. Meaning there is no practical way, using today’s existing solutions in the market, to use the data and insights from one and provide it to the other to run it in a better way
At ARMO, our mission is to change it. We are building Kubernetes Security products made for developers. And Kubescape is an example of that.
How do cybercriminals take advantage of unprotected IT workload? What is the worst that can happen?
Kubernetes (K8s) has become the de-facto orchestration, deployment, and management standard for organizations making the move to a microservices architecture.
It is a unique platform that packages together applications functionality, infrastructure definitions, and third-party components.
It is a highly dynamic open-source platform that was not built with a security mindset but rather to be as agile and flexible as possible. And this is probably why so many DevOps teams love it.
So with all its benefits, security is still a major issue. In fact, in its Spring 2021 report on the state of Kubernetes security, RedHat notes that 94% of survey respondents had experienced a security incident in their Kubernetes environment.
And the main cause of these incidents? Misconfigurations and vulnerabilities. This is because, alongside its rapid adoption, K8s is still evolving. This combination of accelerating speed and constant change translates into the growing prevalence of misconfigurations which:
- Make the attack surface of production environments difficult to control
- Lead to heightened vulnerability
The issue of misconfigurations is so acute that Gartner is even predicting that by 2025, 99% of cloud security failures will be “the customer’s fault,” i.e., due to user misconfigurations.
So for a cybercriminal, it is literally, in many cases, “a walk in the park.” Highly vulnerable misconfigurations are very common, and it’s pretty easy to access sensitive data (e.g. K8s secrets) and in most cases, no one will know since it’s almost impossible to run an effective forensic (usually the data and logs are not saved when microservices “die”).
As more and more companies move their mission-critical applications to K8s, it’s no wonder why in 2020, we saw a dramatic increase in the number of attacks targeting K8s and the level of sophistication of them (e.g. fileless malware).
Some of the common attacks on Kubernetes are data breaches, crypto mining, and ransomware.
Do you think the pandemic altered the ways in which threat actors operate?
I think it accelerated the number and sophistication of attacks.
As more and more people working from home rely on digital environments and are “less protected” by the regular cybersecurity tools and processes that we have at the office, the attack surface has become larger and more vulnerable.
In your opinion, which industries should be especially attentive to implementing application security?
Every industry that is relying on cloud-native environments and containerized microservices (and therefore using or going to use Kubernetes in some way) – should seriously consider adopting Kubernetes security. Naturally, industries like fintech, online retail, and others use this kind of technology more.
In recent years, DevSecOps practices started to gain traction. Can you briefly describe this approach?
I like the definition by CNCF (cloud-native computing foundation) – DevSecOps is the practice of integrating security into release cycles in modern, cloud-native applications. It builds on DevOps by bridging the gap between development and security teams and automating many security processes. It basically means the security is a shared responsibility between Devs and DevOps. The notion of implementing security practices as early as possible in the development process is what the industry calls “shift-left”.
What are the best practices companies should follow when developing and when launching an app?
The first best practice I would mention is to embed security early in the development process and make it part of the native CI/CD process. That way, it will create the least overhead and generate the most impact.
Also, in today’s microservices architecture, application security has become not just about the application code, but also about networking, policies, and configuration. All of these need to be taken into account as part of the security technology and processes.
Which organizations are going to be the main target for cybercriminals in the near future?
That’s a question that is best answered from an attacker’s point of view. So, what are the attackers looking for? They are looking for targets. And how do they choose their target? By a combination of two key parameters: 1) the value of the target 2) how easy it is to attack it.
High-value targets – as Kubernetes becomes more mainstream, used by more companies, in more environments, and now placed in places with high value. It is no longer just in a small workload somewhere, a test application, or a “software playground” – it is right there in the core of the production environment and in an extremely fast-rising number of organizations.
Easy to attack – the biggest factor in the potential ease of attacking a Kubernetes-based system is not in the underlying technology vulnerabilities, it is in the mere fact that it is new. Attackers love new systems, which organizations are adopting quickly and do not yet know how to configure in a secure way.
What does the future hold for ARMO?
Our vision is to help the Dev/DevOps community with a simple but useful solution for securing Kubernetes end-to-end. We want Kubescape to become de-facto as a single Kubernetes pane of glass for Kubernetes users and admins.
We hope to see Kubescape becoming a well-known and widely used tool by the DevOps and Kubernetes community. We hope the community will help us develop it and make it better and more robust.