Analyst Report: Kubernetes K8s Data Protection

Software teams are rapidly adopting microservices, containers and container management to promote innovation and boost digital transformation. With any newly adopted technology comes questions about data and overall security.

Accelerated Strategies Group conducted research into the security of data within containers, specifically, Kubernetes. ASG Analyst Charles Kolodgy, lead analyst on this research, joins ASG CEO Mitch Ashley and Zettaset CEO Tim Reilly dig into the results of this research and relate it to today’s implementations using Kubernetes.

Step 1 of 7

14%

Which of the following best describes how you currently monitor and manage systems across your hybrid cloud environment?(Required)

Multiple separate tools for different environments

Multiple separate tools for different monitoring and management functions

Single consolidated dashboard

Custom built monitoring and management solution

No full monitoring and management solution

Don’t know

How valuable would it be for your monitoring and management solution to incorporate predictive analytics to help you identify and address system issues that are critical and not waste time or effort working through all the data and “noise” that is not critical?(Required)

Extremely valuable

Moderately valuable

Somewhat valuable

Slightly valuable

Not valuable

How do you most typically address potential system issues BEFORE they impact your operations?(Required)

Automated workflows and playbooks to remediate potential issues as soon as they are detected

An orchestrated response process that leverages automation, AI, and human expertise to rapidly respond to potential issues

Advanced monitoring tools such as predictive analytics and anomaly detection to proactively identify and address potential issues

Respond to issues as they arise, using manual processes and troubleshooting techniques

A combination of automated remediation, orchestrated response, and/or proactive monitoring to address potential system issues

Don’t know

Other

What methods does your organization use to control and monitor cloud/IT spending?(Required)

Centralized procurement processes

Pre-approved budget thresholds

Automated cost monitoring tools

Department-level spending controls

Regular cost audits and reviews

Cloud cost optimization platform

Approval workflows for resource provisioning

Native financial operations tools provided by the cloud provider

No formal controls in place

Don’t know

Other

Please specify:

Which methods do you rely on most to detect security vulnerabilities in your systems?(Required)

Automated scanning tools

Manual assessments

Vendor notifications

Threat modeling (for early detection)

None of these

Don’t know

Other

Please specify:

What are the TWO most common ways you prioritize vulnerabilities to address within your environment?(Required)

Based on potential impact

Based on exploitability

Regulatory compliance requirements

Based on CVSS scores

Risk-based analysis of multiple factors

First-in-first-out approach

No formal prioritization process

Don’t know

How do you typically handle system updates and security patches?(Required)

Automated updates and patches

Manually review and apply updates and patches on a regular schedule

A combination of automation and manual review

Apply updates and patches on an as-needed basis.

Outsourced update and patch management

No defined process

Don’t know

Other

Δ

This research was commissioned by Zettaset. The full analyst report is available here.

Transcript

Mitch Ashley: And we will begin on three, two, one. I have the pleasure of being joined by a couple of great, great folks that I love talking with on this topic. First is Tim Reilly, who is CEO with Zettaset, and I’ll have you guys introduce yourselves in just a minute. Second is Charles Kolodgy, who I know from way back when he was an analyst with IDC, and I used to brief him when he was working with Accelerated Strategies Group. Welcome, guys. Good to have you both on.

Charles Kolodgy: Well, thank you.

Ashley: Let’s start with you, Tim. Would you just give us a brief introduction, tell us a little bit about yourself, and tell us a little bit about Zettaset?

Tim Reilly: Sure. This is Tim Reilly, CEO of Zettaset. We do encryption software-only encryption. We’re based in the Bay area. Been around a few years. My personal background is I’ve been in tech for now most of my career – 20 years; whether it’s appliance, networking, teleco, hardware, wireless, networking, software, and finally security in the last three years. So I feel like I got a pretty good understanding of the world and how security fits in it. _____.

                                    [Crosstalk]

Ashley: It’s kind of the requirement. You need to check a lot of those boxes these days.

Reilly: [Laughs] Yeah. You do.

Ashley: To understand the whole scope of things. So fantastic background. And Charles, how about yourself? Introduce yourself and tell us about the kind of research that you do.

Kolodgy: Thank you, Mitch. And so, as Mitch mentioned, I’ve been an analyst for many years with analyst firms. And I’m now working with Accelerated Strategies. So I cover almost all the security markets; what the trends are, where they’re going, what is hot, or in some cases we gotta tell vendors that they’re not in a hot space anymore, and how to transition or make sure that they capture the share of the revenue they deserve. And I’ve been in the security space for 30-plus years. Started at the National Security Agency, so I like to say I’m one of the few analysts that speak crypto. So working with Zettaset and Tim and this area is what I really enjoy doing and getting involved in.

Reilly: Well, Charles, I’m really glad you didn’t have to break any bad news to me. So thank you for that. [Laughs]

Kolodgy: [Laughs] No. You’re in one of those moving yet areas, not ones that you have to capture share to continue moving, continue surviving.

Ashley: Yep. Exactly. Well, that’s – it’s great you positioned it that way, too, Charles and Tim, because we have been working together as Zettaset Commission Accelerated Strategies Group to do some research around coordinating some containers primarily around data protection, data security of data within Kubernetes and containers.

There’s a lot of, of course, you can’t pick up any IT journal, blog, whatever, without reading something about containers. You know, it’s all the rage. It’s been in all the papers, as they say. But, you know, with like any new technology, we often apply what we know to it. And sometimes that’s a good approach. And sometimes you’ve got to evolve or significantly evolve your approach when it comes to security.

So let’s first start by – and we’ve launched this report. It’s called Kubernetes Data Protection Report. It’s available on Accelerated Strategies Group site. I’ll share the UR with you in just a moment. Charles was the lead analyst on this work. Charles, tell us a little bit about what the research was about. What were we trying to learn with this research?

Kolodgy: There was kind of three things we were trying to get a handle on. In the first, of course, is trying to figure out is Kubernetes being used in production? Is it moving forward? Or is it kind of being held back and potentially being held back by security? So that was the first question.

Second one is how do they feel about Kubernetes security, especially with their deployments and where they think they are going? Are they comfortable? Do they want something else? And then that last part was, yeah, what do they see? So even forward-looking to get an idea of what they need to do to improve the situation. So those are kind of the three things that we were looking at. Is it being used? Is it being used in production? What is their overall feeling about security? And what needs to be done to move forward?

And as you mentioned, the focus was on data security as much as the overall aspect of security. Because, as you know, there’s many aspects. And for this area because of data movement and other things, we really were curious about what is their data protection plan?

Ashley: And we were talking about data in many forms, right? It can be data within the containers. Could be databases within containers. Kind of full encapsulation of data sources – not just data within the app, as well. Tim, I know this is center in the space of where you are in. Tell us a little bit about Zettaset and your whole strategy around data protection, data security. That’s kind of a big question for this short conversation.

Reilly: Yeah.

Ashley: But if you can.

Reilly: Well, I think if you just take the world and say there’s the legacy, and there’s this new dev ops. Well, I think it’s one is the evolution out of all the deficiencies, and how to make a better cost efficiencies out of an IT infrastructure that’s existing. Or why build out if you can leverage what you have more? And I think that was the theme of VMs 20 years ago. And this is just another evolution of that. It’s containers and orchestration with Kubernetes. And in all cases data needs to be protected.

So we at Zettaset believe that we can give you encryption and give you that last line of defense that complements access controls, run time audit monitoring, we give you a full comprehensive. So just know that, yeah, encryption isn’t the end-all, be-all. But it is definitely one of the main legs of the data protection stool. So we’ll focus on that one. But don’t think I’m just centered on that. I understand the full security solution.

So for adoption and encryption we feel, how do we get people to move and protect data with encryption? And the big things are we’ll make it flexible, make it easy to use, and I think the biggest one is performance. If you see a lot of, I think it’s even in one of the stats that we have in the survey that performance is one of the bigger issues with implementing encryption.

Take that off the table, and we at Zettaset say if we can make encryption so simple, it’s transparent, you don’t even know it’s there, why not do it everywhere? Why stop in one section of data and not do it in the other? I think the iPhone is a great example of that. It’s encrypted. Everybody knows it only because it’s in the headlines. But it’s always been there, and it’s behind the scenes. We kind of use Zettaset as being a pervasive encryption behind the scenes, whether it’s legacy or this dev ops global communities.

Ashley: Excellent. Now, Charles, we pretty clearly answered, I think, really clearly answered the question. Of course, people are using Kubernetes in production. But they had concerns around, you know. Some felt they were secure, and some weren’t quite as comfortable with how secure they felt. What were some of the data around that?

Kolodgy: Yeah. So that was interesting in terms of we just asked them pretty much just as you said, brought up. You know, how do they feel the security is being effective? And we were looking at a lot of data protection, as you say. But almost 50 percent felt that they were comfortable, to a certain extent, with their security as they were moving forward. So that was kind of – you know, as an analyst, you kind of want to dig in deeper and say, “Okay. If that’s the case, then some of these other answers should be a lot different than they were.”

And the interesting aspect of this was that, yeah, half felt that they were doing okay, and half really had some concerns. But then when you asked them overall what is the vulnerable attack surfaces for Kubernetes deployments? And you kind of get a different feel, a different perspective. Right? So if things were going good, you wouldn’t expect that, as it turned out almost half of the respondents said that we had six or five different attack surfaces as potential areas of concern. And nearly half of the people said that all of the attack surfaces were of concern.

Ashley: Mm-hmm.

Kolodgy: So, I kind of start thinking, “Wow. Half the people think the security is working okay, but then you’ve got half the people think that there’s multiple attack surfaces that are vulnerable.” So either all of those people have those same thoughts, or people have more concern about their security than they want to let on. And I think that happens with security in a lot of areas, right? Where if you just asked the question of are you secure? And they’re going to say, “Yeah. Yeah.” You know? Because one, they maybe don’t want to think that they’re not. But two, there’s nothing bad has happened yet.

Reilly: Yes.

Kolodgy: But then when you start digging into it, it’s like oh. And you kind of ask some questions. And it’s like, oh. Well, now that you mention it –

Reilly: Yeah.

Kolodgy: Maybe, you know, because there’s vulnerabilities in the core platform, or the containers have vulnerabilities, or there’s access control issues, as you mentioned, or network management issues. You know? That maybe things aren’t as –

Ashley: And in a way, just to draw an analogy, if your surgeon said, “Well, 50 percent of the time our surgeries are successful. But I don’t know about the other half.”

Reilly: Yeah. [Laughs]

Ashley: You know? That might be a little concerning to you. And I’m not trying to be _____.

[Crosstalk]

Reilly: [Unintelligible Comment]

Ashley: But you may –

Reilly: You remember when, what was it? Donald Rumsfeld went in the Persian Gulf briefings with his famous line was “We don’t know what we don’t know.”

Ashley: Right. Unknown unknowns, right? [Laughs]

Reilly: This is exactly what we have here. I think there’s an educational issue where maybe people just say, “Well, my security was working for me in the traditional. So it’ll, same thing. We’ll just translate it over to this new world, and it’s fine.” And to me, that, we still have a legacy business that’s pretty substantial in this. I’ll give you one example: health care. We put that, and they say, “Oh, yeah. You’re right. We could get hacked there. And we have no one, no encryption around it.”

So, whether it’s old or new, you have it. I would look. I think there’s history to look at here. Did VMs get rolled out and there was security issues? Did they not even think of them, but slowly but surely, they were hacked. They were breaches. There were all of these things. And I think we need to pay attention to that, and point to it, and say, “Look. This happened already. Learn from it.” Because we’re now in a new world order where it’s even more dispersed and you’re getting it – if you had five VMs on one server, now think about 1,000 containers across an entire network and environment. I mean the multiplicity of potential like we just said, for attack vectors is massive. So we don’t know what we don’t know.

And I think these folks need to be a little bit more educated on security and say, “Oh, I get it.” So it’s a two-parter. Did you have a complete security solution, for one? And two, do you understand Kubernetes and how the two fit together? And is this in your mind stopping you from going to the next step? And I think there’s a bunch of nervous people out there that don’t even know potential exposures they have.

Ashley: Mm-hmm.

Reilly: I can see it coming. And I don’t say that just because I’m in the industry hoping to excel with my revenue. I just see that there will be an issue with Kubernetes and containers getting hacked, bad actor gets in, they mine all the data, and before you know it there’s two petabytes of somebody’s personal data and some enterprise is out there for the world to see. That will happen. If it happens next year or the year after, it’s going to be there.

Kolodgy: Yeah. You make some great points there, Tim. And primarily, as you mentioned, the one is like when VMs came out, the attackers didn’t – the attackers just can’t show up and start attacking it, right? They need to play with it, and kick the tires, and find those vulnerabilities, and find those processes. And then so when you first roll out things, “Oh, looks pretty good.” [Laughs] There’s no sharks here right now, right? The water’s clear.

Reilly: Mm-hmm.

Kolodgy: And then they figure out where to go. And the interesting in the survey, it’s not so much a technology issue – and I think you kind of alluded to this – about 60 percent said that what they need, the greatest factor, the greatest improvement, is better policies, better procedures. And I think that’s where they’re beginning to start thinking about, “Wow. I now need to do something different, because I am doing something different.” Right? So, that was another really interesting part for me is that the level of people needing more education and more policies and procedures to help improve their security. So they’re not looking at just this technology, but at that level.

Reilly: Yeah. I think there’s some great opportunities in there for the global services practice to help bundle and give that education. Because I don’t think we’re going to turn away from the benefits of containers or Kubernetes. If I can use the Hadoop as the analogy, Hadoop had all the rave in the world, big data, unstructured data. Did it really come to pass? No. Are we in a hype cycle with Kubernetes? I don’t think so. I think this is the next evolution of IT infrastructure. It’s not going away.

And if you take that point of view, you’ve got to make sure you’ve got a comprehensive package to give them. And look at all the new startups that you’ve got into container encryption. Everyone sees the exposure that’s there, and we’re riding that wave with it. But our wave is easier to translate. It means like, “Hey, look. You need to get it back in the old way. We’ve got it over here for you. We’ll work together.” I did notice that with the cloud, I think a lot of folks will continue to rely on that because they don’t have the experts in this. It makes all the sense in the world. Hey, leverage a cloud provider. Leverage their Kubernetes distribution. And that’s good.

The other half, they’re either maybe savvy enough or kicking the tires and saying, “Hey, I’ll be DIY with Kubernetes, or maybe I’ll do Red Hat OpenShift or VM Ortonzu, since they’ve got an enterprise version that has a foot on prend and a foot in the cloud.” So you kind of have a – I think, I look it at it like you have a three-parter. One, somebody’s just on prend, somebody’s hybrid, and somebody’s in the cloud. And I don’t know if it’s a third, a third, a third, to be honest. I mean, within that third totally cloud, there could be more people who are hybrid that do both. Whatever you want to take from that is it’s dispersed how people are going to deploy Kubernetes. And –

Ashley: Uh-huh. There was also really good data showing there’s multiple providers of that Kubernetes distribution.

Reilly: Yes.

Ashley: So even within one organization, you might try to standardize on something. But more than likely, you’re going, in the VM world, VM or world you’ll use one thing, you know, whatever it might be. There you’re going to be looking at multiple stacks that you’re trying to secure, as well as the application architecture. So complexity has gone way, way, way up. And I think that’s part of what’s concerning security people.

Reilly: So there’s something you just made me think of on the environments or using what – the data that’s in a Kubernetes environment can be in multiple things. Like Mitch, you said it could be the actual database where the data is containerized. In the cloud, that’s more container managed storage, as it’s called. Then there’s the cloud-managed storage, where it might be in some shared storage, like a vSAN, vSphere volume, or you can look at block storage, or you can look at Ceph, which is Red Hat.

Well, all of those guys – and I like this comparison because it does a really good one – you have the beach. Call those self-encrypting drives. You have a garbage can. Call that like a vSAN, vSpheres encryption protection. And then you have a bucket. And then after that’s I think where we have more play in the partition volume. And then the very biggest one is grains of sand. So the Goldilocks principle is where do you put security without impacting performance and the efficiencies that Kubernetes brings us?

We’ve done all the analysis on that, and my team has been around encryption for 20-plus years, and they said, “The bucket, because it gives you enough to protect without killing you.” Because imagine a key for every grain of sand. That’s the performance would be destroyed. And that was the top, what, concern or to with the issues of security and encryption. And that’s how you solve that.

And if you’re able to do it, and I saw the other one was more integration with the platform in causing problems if you can integrate, I think you’ve solved the two major hurdles. And if it is truly a big issue for going to production, I think we’ve taken it off the table, and all the way back around to encrypt everything, and you do it without impacting performance and it’s transparent, do it. Deploy.

Ashley: Mm-hmm.

Reilly: So, I think it’s properly positioned for encryption to take a greater role as this data gets more dispersed. And I think we have an opportunity to really protect all of that wherever it goes.

Ashley: That’s interesting, too. There was some really good data that showed that naturally folks rely on what they know, right, using traditional data encryption tools, using role-based access control, things that we know. But also there’s a recognition of not sure that traditional data security encryption technology was sufficient, that more is needed. Maybe some thoughts you might have, Tim, about that? Because I know you talk a lot with customers about traditional tools, why do we need something new, filling out that software spec more completely.

Reilly: I think it’s a great example that’s different from what’s happened in the past. And I don’t mean to get too techy, but I will. If a developer tells a container there’s an app in it, and says, “I need access to this data,” the way the process works is Kubernetes then says, “Okay. I need a persistent volume claim for this container. So go talk to a persist volume.” The persistent volume is just something that sucks the data that ultimately will be used by the container.

What people don’t realize is once that container is done with that, that persistent volume doesn’t go away. It sits there. It’s back to the bucket. It’s just a bucket that’s on the beach, and the kid left it there and walked away. You can have 1,000 buckets out there. So that data, still all out there. Doesn’t go away. And I don’t think people realize that. “Well, if that – well, what do you do? How do you protect it?” Well, somebody could get access to it, but yeah, sure it’s going to be easy to grab. What if it’s encrypted? They can’t do anything with it. So one way to what we call is deactivate data’s availability is if it’s encrypted, you just chuck the key. It’s gone forever. You’ll never get access to it.

That whole process is brand new. They didn’t have that in infrastructure. You didn’t create something like this that forever just floats around. That’s where Kubernetes and these persistent volumes are brand new and different, and pointing that out to people, I think a lot of people don’t realize that. The data becomes, you get the value of data. You put it up in the container that use some processing. It comes back down. It’s gold. You read, write, and it’s got all the conclusions you want. And then you throw it over there, but it just doesn’t get thrown out. It’s still hanging out there. Different world we live in now. And to be able to protect that, I think that’s the great differentiatior.

Ashley: Excellent.

Kolodgy: Yep.

Ashley: Go ahead, Charles.

Kolodgy: Yeah. I was going to say. You know, the survey did show those same thing. The real issue is the tools aren’t well integrated with Kubernetes right now. Or – and/or, really, it turned out to be – the traditional databases that are going to be encrypted aren’t well integrated with the containers. And the last one is performance is going to be taking a hit if it’s not optimized for this deployment. So all of those came up as very huge issues and challenges for working with data encryption in Kubernetes.

Reilly: I’ll give you the high-level one that is simply the legacy infrastructure is bottoms-up. Okay? So we all know that containers in Kubernetes is evolved out of virtualization, and it’s floating up here. Well, are you going to use the bottoms-up to protect that? Or should you use a top-down, which is in concert to the integration that pulls the security that pulls data from the top as you need it? It’s a no-brainer if security needs to keep track or pace with everything that’s happening with infrastructure. As infrastructure continues to evolve to these greater technologies and efficiencies, security shouldn’t stay the same. It’s gotta keep pace with them and become integrated with that.

And if anything, look at legacy. If security wasn’t integrated and people learned as they went, “Oh, we need to secure this. Oh, we need to secure this.” Well, take what you learned there and say, “Oh, we gotta do something. Whatever that was here, we gotta to do it with Kubernetes.” And I think this is the opportunity for dev sec ops to really walk out with dev ops and get it right this time. It’s not going to be perfect. But we’ll get it better.

Ashley: One of the things, _____, that just kind of wrap up in conclusion, curious on your thoughts, Tim. You worked with Accelerated Strategies. You commissioned us to do this report. But it’s not a marketing piece. It’s a completely independent research. What were some of the things you found most valuable for, or interesting, or maybe didn’t expect from the research done kind of outside of your group? Sometimes we live in our own bubbles, right, of our own organizations. And I call it breathing our own exhaust. I do that, I know. [Laughs] So, I’m just curious what you found most compelling about this.

Reilly: I was actually very excited to see a third of the folks putting the multiple applications in production. I think I thought it was earlier in that is. And that tells you right there that this isn’t going away. This is getting, this is just, this turbine is gaining speed. It’s coming more. Because I think we’ve all been there where we’re like, “Hey, it’s great. It’s great.” You know, the hype is there. I think we’re there. And I think you’re going to see this really start to pass another barrier as we go onto 2021, because in a remote world of we unfortunately live in may at some point still look like that for awhile. And going forward, there’s still going to be, I think, more remote. And I think we would all agree with that.

Ashley: Mm-hmm.

Reilly: So if you’ve got that, Kubernetes containers will live in that world. And I think you’re really going to see the adoption continue. So that was the big one I took away, was that it’s not as early as I thought.

Ashley: Mm-hmm. Real interesting. Well, great. Thank you. It’s been a pleasure working with you. For our listeners, our viewers, please check it out. You can go to the Accelerated Strategies site. It’s ACCELST.com. There’s a What’s New section. Scroll down a few, just a little bit and you’ll see the report right there to download it. Tim, how about to find out more about Zettaset?

Reilly: You can go to Zettaset.com. It’s like it sounds, Z-E-T-T-A-S-E-T.com. And we have a wealth of information about dev ops and legacy that really give you a good education and show you everything we’ve got around encryption. I just like to say both of you: Mitch, Charles, thank you. AST has been great to work with, been very insightful. Thank you very much.

Ashley: It’s been a pleasure. Really appreciate the opportunity. And I’m going to point, I’ll include a link, point folks to a recent webinar that we just did about a week or so ago talking about this subject, kind of pre the report being released, where we had a chance to explore some of these topics and thoughts more. So please check that out on in an on-demand way where you can – I think it’s well worth it. We had really good attendance and great questions. So, well, gentlemen. It’s been a lot of fun talking with this. And who knew encryption could be so fun? [Laughs]

Reilly: [Laughs]

Kolodgy: It’s always fun, Mitch.

Ashley: You would say that. [Laughs] Okay. Have a great day. Thanks for joining.

Reilly: You guys take care.

Kolodgy: All right. Bye.