KubeCon 2023: Kubernetes Supply Chain Security

Techstrong Voice…: This is Techstrong TV.

Alan Shimel: Hi everyone. Welcome back. Hey, we are down to our last interview for KubeCon Chicago. This has been one of the better KubeCons we’ve done over the years. I think this is the seventh or eighth KubeCon we’ve done.

Step 1 of 7

14%

Which of the following best describes how you currently monitor and manage systems across your hybrid cloud environment?(Required)

Multiple separate tools for different environments

Multiple separate tools for different monitoring and management functions

Single consolidated dashboard

Custom built monitoring and management solution

No full monitoring and management solution

Don’t know

How valuable would it be for your monitoring and management solution to incorporate predictive analytics to help you identify and address system issues that are critical and not waste time or effort working through all the data and “noise” that is not critical?(Required)

Extremely valuable

Moderately valuable

Somewhat valuable

Slightly valuable

Not valuable

How do you most typically address potential system issues BEFORE they impact your operations?(Required)

Automated workflows and playbooks to remediate potential issues as soon as they are detected

An orchestrated response process that leverages automation, AI, and human expertise to rapidly respond to potential issues

Advanced monitoring tools such as predictive analytics and anomaly detection to proactively identify and address potential issues

Respond to issues as they arise, using manual processes and troubleshooting techniques

A combination of automated remediation, orchestrated response, and/or proactive monitoring to address potential system issues

Don’t know

Other

What methods does your organization use to control and monitor cloud/IT spending?(Required)

Centralized procurement processes

Pre-approved budget thresholds

Automated cost monitoring tools

Department-level spending controls

Regular cost audits and reviews

Cloud cost optimization platform

Approval workflows for resource provisioning

Native financial operations tools provided by the cloud provider

No formal controls in place

Don’t know

Other

Please specify:

Which methods do you rely on most to detect security vulnerabilities in your systems?(Required)

Automated scanning tools

Manual assessments

Vendor notifications

Threat modeling (for early detection)

None of these

Don’t know

Other

Please specify:

What are the TWO most common ways you prioritize vulnerabilities to address within your environment?(Required)

Based on potential impact

Based on exploitability

Regulatory compliance requirements

Based on CVSS scores

Risk-based analysis of multiple factors

First-in-first-out approach

No formal prioritization process

Don’t know

How do you typically handle system updates and security patches?(Required)

Automated updates and patches

Manually review and apply updates and patches on a regular schedule

A combination of automation and manual review

Apply updates and patches on an as-needed basis.

Outsourced update and patch management

No defined process

Don’t know

Other

Δ

Abhinav Mishra: Wow.

Alan Shimel: But this one has really been a great one. I think we are finally past Covid. We’re finally into people coming to events, and it’s been a great event. I think for me, one of the things has been the continued maturation and evolution of the open source market and of the cloud native ecosystem.

Abhinav Mishra: Absolutely.

Alan Shimel: It really is real now. And my next guest is Abhinav Mishra. Did I get it right?

Abhinav Mishra: That’s right, yeah.

Alan Shimel: And he’s from Uptycs. Now Upticks is a company you’ve seen on TechStrong TV, and all around our sites. We cover them a bunch, but we’re going… If you haven’t heard of them, it’s okay. We’re going to tell you a little bit about them. But before we get into Uptycs, Abhinav, what do you do at Uptycs?

Abhinav Mishra: Yeah, so thanks for the opportunity. I’m a director of product at Upticks and I lead their containers and Kubernetes security offering.

Alan Shimel: Perfect. And I guess that takes us into Uptycs, right?

Abhinav Mishra: Yeah.

Alan Shimel: What do you do?

Abhinav Mishra: Yeah, so we’re a unified cloud and endpoint security platform. We believe that in order to have unified security, you can’t just look inside the cluster or inside a virtual machine. You have to look at all the attack surfaces. You have to look at the entire supply chain, starting from the developer laptop, to your code and build systems and all the way to the cloud.

So we have a unified security solution. We do everything from compliance to vulnerabilities. And because of our eBPF sensor, we can do real runtime detections and correlate back to those to misconfigurations in your cloud assets.

Alan Shimel: That’s really nice. It’s a lot of noise going on. I guess that’s what happens at the end of the day here.

Abhinav Mishra: Yeah, everybody’s kind of… Yeah. Final hurrah.

Alan Shimel: Everybody’s letting off a little steam. So you guys, I happen to notice your booth on the way in. A big booth out here. A lot of announcements around Uptycs. Share with our audience, because not here.

Abhinav Mishra: Yeah, absolutely. So the first announcement is around a Kubernetes supply chain security. We see customers having to tackle issues in terms of protect… You saw the SolarWinds attack that happened. There’s other attacks like Okta. And so we’re recognizing that there are other parts, not just looking at a Kubernetes like a EKS cluster, but other key components as part of your software development lifecycle, whether it’s your repositories, your Jenkins build systems, your container registries. And what customers want to do is integrate those security elements, not just in terms of the image builds, but independent. CIS has some supply chain benchmarks. For example, your GitHub is not a multifactor authenticated enabled. That’s a problem. And we need to take those security measures or security postures and integrate it as part of the overall security checks.

So what we have is we’ve announced a Kubernetes supply chain security where you can integrate the security posture of those supply chain components as part of your overall software development lifecycle. You can create policies where you can say, “Hey, the [inaudible 00:03:34] curl vulnerability plus the supply chain security. Integrate those as part of my image security and either audit those or fail the image build.” So don’t allow them to get to runtime. And what this really allows for is proactive remediations. And of course easing this tension between development teams and security teams where they can agree on remediation guidelines and prioritize what is most critical, whether it’s the supply chain security or critical vulnerabilities or malware. Let’s agree on what those remediation guidelines are and come with policies that enable developer velocity, but with guard rails.

Second big announcement we’re doing is around, it’s a more of an ecosystem play. There’s a framework called Kubernetes Goat, like the animal goat.

Alan Shimel: Sure. That’s-

Abhinav Mishra: It’s actually catching some of the most critical container detections… and threats such as container breakouts and RBAC misconfigurations. And so because of our eBPF telemetry and the forensics we can do, we not only detect those in real time. We can map them back to misconfigurations such as access control risks, network security risks, and we can apply different forensics. So if there’s an attacker that’s hiding behind a process that looks benign, it’s called [inaudible 00:04:45], or it’s called Uptycs, but it’s actually like a doing a port scan. We can use YARA rule scanning to catch that signature of the process. This is what really… It makes Uptycs unique because of those runtime security protections and where customers see a lot of the value.

Alan Shimel: But the Kubernetes go is a community effort.

Abhinav Mishra: It’s a community effort.

Alan Shimel: I want to make clear everyone knew.

Abhinav Mishra: Yeah, exactly. Yeah. Thanks for the clarification. Community effort. And one of our threat researchers actually helped build those. We’re taking that valuable input from the community and making sure we could productize it, but then also add value on top. And I think we’re seeing so many customers really seeing the benefits of that, and you don’t know what you don’t know. So we have to provide and seed that information and so they can start to leverage it.

And the last big announcement we’re doing is around Kubernetes network security. So you’re probably seeing a lot around Isovalent and Cilium and network policies, because what they’re doing is fantastic. And what we want to add value on top is a lot of the times the network policies are misconfigured because it’s [inaudible 00:05:51], right? You’re writing these files, you’re checking them in, you’re using GitOps to push them to your cluster. What we want to do is mark which network policies are insecure and are leading the internet exposure and show them on a graph so we can say, “These specific pods or these specific namespace have internet exposure or have critical vulnerabilities.” And that has basically allowing for better security and staying on top of your internet exposure risks. And so we see a lot of value with that solution. And as we go down, we’re going to tackle things like multi-tenancy, namespace isolation, using those Cilium network policies.

Alan Shimel: Love it. Good stuff.

Abhinav Mishra: Yeah.

Alan Shimel: What else?

Abhinav Mishra: What else? I mean, I think we’re actually doing a webinar next week on KubeCon in terms of the trends and connecting that back to security aspects. And it’s been a fascinating KubeCon. At Amsterdam… I was at another company back at the time, we were looking at platform engineering. And now being in Uptycs, I’m starting to see platform engineering and security actually come together where with platforms, they’re basically providing the golden templates methodology on how to do things. And I think security becomes a natural part of the process where we’re not just looking at data, but we’re trying to really operationalize and create a developer self-service workflow around security. And you see other companies like Chainguard where they’re saying, “Hey, security on day zero. Don’t even look at CDEs. Look at using secure container images.” And for us, it’s the same way. When we’re building our platform, we’re really not just looking at the data, but how to make those workflows very simple from a DevSecOps point of view. And that’s really exciting for us.

Alan Shimel: So I have 25 years in security, but I’ve been doing KubeCons for a long time. I noticed it in Amsterdam, a definite shift from a very developer focus to a ops focus and a security focus. Now platform engineering, everybody was buzzing on platform engineering. In my mind, we call it now platform engineering, but what it is, we’ve been doing a long time.

Abhinav Mishra: Exactly.

Alan Shimel: But security needs to be built. I don’t care whether we’re at the developer or the platform engineer or the Ops or the Dev set or the DevOps or the SRE. Security is embedded across that.

Abhinav Mishra: Exactly.

Alan Shimel: Now, those of us in the security space, we’ve been preaching that for years. We are just terrible at it. But I think we’re starting to see it. We saw it in Amsterdam, and we’re definitely seeing it here in Chicago. Security is a big part of cloud native.

Abhinav Mishra: Yep, absolutely.

Alan Shimel: Whether we’re talking about the app, the data, the infrastructure, it’s got to be secure.

Abhinav Mishra: Yep. Absolutely.

Alan Shimel: It’s got to be in there.

Abhinav Mishra: It’s part of your fabric. And I think it’s one of those things where we’ve talked about it for a long time and we have a lot of data, but if you can make it operational, I think that’s where, and with the cloud native-

Alan Shimel: It’s got to be prioritized to do it.

Abhinav Mishra: Exactly.

Alan Shimel: That’s always been the problem is everyone talks, “It’s a priority.” But it’s not. Now we do an RSA conference with security every year for the last eight or nine years. We put on the DevSecOps event with the RSA folks on Monday of RSA week at the Moscone Center. Last year our theme was “DevOps is DevSecOps- “

Abhinav Mishra: Yeah, agreed.

Alan Shimel: … “And DevSecOps is DevOps.” I think it’s the same thing for cloud native. Security is cloud native. You can’t have cloud native without it.

Abhinav Mishra: Absolutely. Yeah. Concepts like automation, for example, or GitOps principle. They have to have security enabled by default. And so it doesn’t become an afterthought. It becomes whatever code you’re building, whatever infrastructure as code you’re building to… Security is naturally built into that process. And so I think the industry… Of course, you still have your CDEs, you’ll always have those kinds of concepts, but I think where customers are starting to think about it is, “How do I just build this as part of my process?” So it’s not an afterthought. It’s not something that I’m having to think about from a secondary point of view. It’s just, it’s what we do. And-

Alan Shimel: That’s a key piece of it right there.

Abhinav Mishra: Yeah.

Alan Shimel: Hey, you know what we didn’t mention for people want to get more information about Uptycs, where do they go?

Abhinav Mishra: Yeah, absolutely. So you could go to Uptycs.com.

Alan Shimel: Spell that for us,

Abhinav Mishra: U-P-T-Y-C-S. And if you go under products, you can go to our containers and Kubernetes security, or you can look at what we do for cloud security and endpoints as well. We also have our Mastering Kubernetes security ebook that we just released. It was a great thought leadership in terms of blog posts.

Alan Shimel: Very cool.

Abhinav Mishra: Yeah, so you looked at RBACs and networking and everything-

Alan Shimel: So if you went to Uptycs.com and went to Container and Kubernetes security, you’d get the ebook from there.

Abhinav Mishra: You can find it right there. Exactly. And from our blogs as well.

Alan Shimel: Okay. That’s excellent.

Abhinav Mishra: Yeah.

Alan Shimel: Thank you very much for joining us, man.

Abhinav Mishra: Thanks so much. Thank you for the opportunity.

Alan Shimel: Uptycs.com. Check them out. Hey, we’re wrapping our coverage here in Chicago. We will be… Well, our next event is actually re:Invent. I don’t know if you guys are going to be-

Abhinav Mishra: We’ll be there. We’ll have a big presence there. We’re going to talk around a lot of the cloud security, what we’re doing for risks and attack paths and supply chain as well. So be sure to visit us there.

Alan Shimel: At the re:Invent booth. We’ll be doing live video. Maybe you can step up in re:Invent.

Abhinav Mishra: Yeah, absolutely.

Alan Shimel: We’re not on the show floor there. We’re often in a suite at the Wynn, but we’ll reach out. We’ll see you at re:Invent. Until then, though, you can check us out on devops.com. Cloud Native Now, security Boulevard, Digital CXO, Techstrong.AI, or Techstrong TV. I’m back in the studio next week, but for now, that’s a wrap.