Don’t let security worries put you off Kubernetes and open source

7 Jun 2023

Image: © Sergey Novikov/Stock.adobe.com

Red Hat’s Michael Foster on the company’s Kubernetes report and what its findings tell us about the security challenges companies face.

According to a recent study by Red Hat, organisations are having difficulty in securing containerised workloads which could, in turn, stifle innovation.

Although container orchestration platforms like Kubernetes have become widely used by many businesses in recent years, they can leave those that aren’t vigilant about security open to attacks.

As Michael Foster, senior product marketing manager at Red Hat, pointed out, supply chain attacks “are a concern” for companies using cloud-native and containerised development because “the sheer number of open-source projects and dependencies involved can take a lot of work to manage”.

‘Instead of targeting a single company, cybercriminals are now targeting a technology that multiple companies use in the hope that a malicious payload or a backdoor has been left open’

Red Hat’s State of Kubernetes Security Report 2023 looked at some of the challenges facing companies relying on such platforms. The report was informed by a global survey of 600 DevOps, security and engineering professionals. Among the most notable findings was that more than two thirds (67pc) of respondents had to slow down cloud-native adoption due to security concerns. And more than half of respondents experienced a software supply chain issue related to cloud-native and containerised development in the past 12 months.

How can these problems be mitigated? Foster said that there are container-focused security tools that can help companies if they know how to implement them. Though he warned that “companies need to understand the scope of the problem”.

Foster listed some supply chain attacks that have made headlines in recent years, such as the SolarWinds attack in 2020 and the Docker Hub incident in 2019.

Why have these attacks become so prominent? According to Foster, “the ecosystem is becoming increasingly intertwined. Instead of targeting a single company, cybercriminals are now targeting a technology that multiple companies use in the hope that a malicious payload or a backdoor has been left open. From a hacker’s standpoint, it is simply better bang for your buck.”

Like most things cybersecurity-related, vigilance is key. But remaining vigilant is easier said than done and companies that are focused on digital transformation are often working across a number of different locations, including source code, dependencies, image build, deployment pipelines and runtime security – all of which “an attacker can exploit,” said Foster.

‘Your security tools need to be able to keep up with the rate of development if you want to see the significant gains that containers can bring’

He also warned that security is sometimes downgraded or forgotten in favour of innovation. “Another challenge is the sheer competition in the marketplace. Companies are tasked with innovating and expanding rapidly, which may sometimes come at the cost of the product’s security.”

“Some of the prioritisation issues shown in our State of Kubernetes Security report may come from a lack of understanding about the shifting security landscape,” he added, before warning people not to take tech like Kubernetes for granted. “Containers represent a paradigm shift, and companies must learn to secure alongside their other advancements.”

‘Security is a constant fight’

So, what advice would Foster give to companies that are looking to secure their operations without neglecting innovation? “My advice is to bring developers into the security conversation, especially when evaluating your security tools.

“Companies that innovate with containers and then discuss security after are in for a rough time. Your security tools need to be able to keep up with the rate of development if you want to see the significant gains that containers can bring.”

And, crucially, security and operations teams need to “understand the intricacies” of Kubernetes.

“Kubernetes is a potent tool for enabling companies to scale and secure their workloads. However, the ability to misconfigure your clusters and open a backdoor is always present. Ensure you have the tools to secure the growing microservices on Kubernetes, both for the container and the environment,” said Foster.

There is always the option of outsourcing the security portion to managed services providers. But for companies that want to manage everything in-house, they will definitely need to create a secure software development cycle. This involves things like regular code reviews, audits, secure build and deployment pipelines and threat intelligence.

Foster described security as a “constant fight” and warned against complacency.

“Overall, if you are addressing your security team’s needs, constantly iterating, remaining vigilant during quiet times, and picking the right tools for the job, that’s a pretty good place to be. One issue with security is that if everything is smooth, there is less incentive to change. In a lot of cases, it is only when there is a fire that security gets prioritised.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Blathnaid O’Dea is Careers reporter at Silicon Republic

editorial@siliconrepublic.com