Kubernetes Is Gaining Momentum, but Security Still Lags Behind

Kubernetes adoption has skyrocketed over the past several years as a growing number of businesses leverage the platform for application development and code deployment. Today, organizations ranging from small and mid-sized businesses (SMBs) to Fortune 500 companies now rely on Kubernetes to streamline their development needs. But while many organizations understand the potential benefits of Kubernetes, fewer understand the platform’s cybersecurity vulnerabilities—and even those with tools in place to protect their Kubernetes environments rarely understand how effective those solutions are.

While Kubernetes is becoming increasingly ubiquitous, the ability to secure Kubernetes environments has lagged behind—leaving a dangerous window for cybercriminals to exploit. In today’s threat landscape, securing Kubernetes environments is critical, but that doesn’t just mean having the right solutions in place. It means being able to think like an attacker, testing the effectiveness of security solutions against real-world tactics and techniques. If businesses want to protect their Kubernetes environments, they need to continuously test their security solutions to ensure they are performing as expected against today’s most advanced threats.

Step 1 of 7

14%

Which of the following best describes how you currently monitor and manage systems across your hybrid cloud environment?(Required)

Multiple separate tools for different environments

Multiple separate tools for different monitoring and management functions

Single consolidated dashboard

Custom built monitoring and management solution

No full monitoring and management solution

Don’t know

How valuable would it be for your monitoring and management solution to incorporate predictive analytics to help you identify and address system issues that are critical and not waste time or effort working through all the data and “noise” that is not critical?(Required)

Extremely valuable

Moderately valuable

Somewhat valuable

Slightly valuable

Not valuable

How do you most typically address potential system issues BEFORE they impact your operations?(Required)

Automated workflows and playbooks to remediate potential issues as soon as they are detected

An orchestrated response process that leverages automation, AI, and human expertise to rapidly respond to potential issues

Advanced monitoring tools such as predictive analytics and anomaly detection to proactively identify and address potential issues

Respond to issues as they arise, using manual processes and troubleshooting techniques

A combination of automated remediation, orchestrated response, and/or proactive monitoring to address potential system issues

Don’t know

Other

What methods does your organization use to control and monitor cloud/IT spending?(Required)

Centralized procurement processes

Pre-approved budget thresholds

Automated cost monitoring tools

Department-level spending controls

Regular cost audits and reviews

Cloud cost optimization platform

Approval workflows for resource provisioning

Native financial operations tools provided by the cloud provider

No formal controls in place

Don’t know

Other

Please specify:

Which methods do you rely on most to detect security vulnerabilities in your systems?(Required)

Automated scanning tools

Manual assessments

Vendor notifications

Threat modeling (for early detection)

None of these

Don’t know

Other

Please specify:

What are the TWO most common ways you prioritize vulnerabilities to address within your environment?(Required)

Based on potential impact

Based on exploitability

Regulatory compliance requirements

Based on CVSS scores

Risk-based analysis of multiple factors

First-in-first-out approach

No formal prioritization process

Don’t know

How do you typically handle system updates and security patches?(Required)

Automated updates and patches

Manually review and apply updates and patches on a regular schedule

A combination of automation and manual review

Apply updates and patches on an as-needed basis.

Outsourced update and patch management

No defined process

Don’t know

Other

Δ

The Danger of Kubernetes Attacks

Kubernetes attacks can take a variety of forms, depending on the protections an organization has in place. Kubernetes isn’t a top-down system but rather works by breaking development down into smaller pieces. Because each container is separate from the others, developers can work within a given container without touching the other segments of the system. There is a certain degree of protection inherent to that system because an attacker who compromises one Kubernetes container cannot necessarily access other containers, which can limit the potential damage. That said, attacks on Kubernetes can still have a significant impact—and they can often be used as a jumping-off point to access other critical areas of the network.

If, for example, an attacker hacks an organization’s web server and is able to run malicious code on the Kubernetes pod that hosts the web server, that can give them a foothold. The attacker can then start looking for misconfigurations—which are extremely common, particularly in cloud applications. They may be able to gain access to additional areas of the network or even administrative credentials—and once an attacker has access to privileged credentials, they can be very difficult to stop. A different attacker might seek to add malicious code to a Kubernetes container, where it will be deployed to the wider application, potentially impacting anyone using the application. Without sufficient visibility into how accounts and identities are behaving within the network, it is impossible to identify suspicious activity in time to stop an attack.

Why Securing Kubernetes in the Cloud is a Challenge

Integrating Kubernetes with cloud environments is one of the primary reasons security is a challenge. In the native version of Kubernetes, there were built-in security features, including more extensive event logging options, that could help users identify and fend off potential attack activity. But in today’s development environment, most users are not using a native version of Kubernetes—they’re doing their development in the cloud. And while all major cloud providers support Kubernetes development, the level of visibility isn’t nearly the same. Research conducted by Cymulate found that, depending on the cloud platform, users have only 24-66% visibility in areas where they would expect to have 100% visibility—meaning that as much as 76% of a Kubernetes environment may be effectively unprotected. If security teams are going to stop attackers from deploying malicious code or using Kubernetes as a jumping-off point for wider attacks, they need visibility into those environments.

Another related problem is that even when Kubernetes security solutions successfully stop an attack, that activity is not always flagged to the user. That’s a serious problem, because it’s important for security teams to be aware of all attack activity—even when it is unsuccessful. An attacker who fails once isn’t likely to pack up and walk away. They’ll keep poking and prodding around the edges, looking for ways to circumvent whatever stopped them. If security teams are aware that those unsuccessful attacks are taking place, they can take additional measures to shore up related defense. If they aren’t aware, attackers are free to continue experimenting until they find something that works.

These problems are exacerbated by the fact that security and DevOps teams don’t always have the most collaborative relationship. Something that seems like an obvious vulnerability to the security team might not stand out to a developer at all. On the other hand, security professionals don’t have the same hands-on relationship with Kubernetes that DevOps employees do, limiting their perspective. If security and DevOps teams aren’t communicating, that disconnect can create vulnerabilities for attackers to exploit.

Taking Steps Toward Better Kubernetes Security

The good news for today’s organizations is that there are a number of steps they can take to secure their Kubernetes environments more effectively. It starts with improving their level of Kubernetes literacy and awareness and engaging in regular training sessions with relevant groups of employees to keep them updated about the latest attack vectors and threats facing Kubernetes. The need for education and training also extends to management and leadership teams, and it is important to keep them aware of new and emerging security solutions and how they might benefit the organization.

Of course, training isn’t enough on its own. Organizations need to implement a multi-layered approach to security, including network segmentation, role-based access controls, and runtime security measures that ensure attackers cannot move freely throughout Kubernetes environments. It’s also important to have advanced monitoring tools capable of identifying suspicious or unusual behavior patterns that may indicate the presence of an attacker. Organizations can best protect their Kubernetes environments by investing in solutions that allow them to detect and respond to attack activity quickly while also limiting the potential damage an attacker can cause with a successful breach.

Organizations also need to engage in both regular audits and ongoing testing of their security capabilities. Periodic audits and red team exercises can help security teams identify potential security blind spots—something particularly important in Kubernetes environments, which are subject to constant change and frequent code updates. In addition to regular audits, organizations should also be engaging in breach and attack simulation (BAS) practices, simulating threat activity on a continuous basis and observing the results. BAS can help organizations determine whether their Kubernetes security solutions are functioning effectively in real time, allowing them to allocate resources more effectively and identify areas in need of improvement.

Finally—and perhaps most importantly—fostering better communication is critical. This is often the hardest solution to implement, but it is the one the pays the greatest dividends. Engaging in continuous testing can actually play an important role in improving that communication by providing developers and security teams with a shared lens through which to evaluate risk. By validating the risks the organization actually faces—and not just measuring against common threats and vulnerabilities—this enables all parties to adopt a unified risk framework and share valuable insights and best practices. Improving interpersonal relationships may not be as easy as installing a patch or implementing a new security solution. Still, it is the most surefire way to build a more effective Kubernetes security program.

Limiting Kubernetes Risk

As more and more organizations turn to Kubernetes for their development needs, it’s important to have a thorough understanding of how to protect Kubernetes environments in the cloud. The visibility gaps that exist in today’s Kubernetes cloud deployments leave organizations dangerously vulnerable to an attack, and addressing the problem will require not just the deployment of advanced security solutions, but regular testing to ensure they are functioning as intended. Kubernetes is a dynamic platform that has improved both the flexibility and scalability of application development, but organizations that fail to put appropriate protections in place risk becoming the next big victim of a costly breach.