Short interview with cloud security expert Alon Berger from Alcide
Securing the infrastructure, platforms, processes and data is one of the most important topics in cloud computing. the cloud report interviewed cloud security experts about the challenging year 2020, how this year of digitization affected cloud security, and their expectations and solutions for 2021.
What were, in general, the biggest security challenges for cloud customers in 2020?
Misconfigurations – according to Check Point’s 2020cloud Security Report, the highest ranking threat was misconfigurations. Among the reporting companies, 68% state that this is still the main concern.
Data breaches and data loss/leakage, causing severe impact to reputation, loss of intellectual property, regulatory implications, and more…
Lack of cloud security architecture and strategy – as many organizations are migrating their infrastructure to the cloud, they are most likely to face many challenges while implementing appropriate security guardrails.
The key term here is “shared responsibility” model which highlights the fact that accountability always resides with the cloud consumer.
What were the critical vulnerabilities that you became aware of, and maybe were confronted in 2020? How did or would you address those vulnerabilities, i.e. which solution would you recommend, and why?
CVE-2020-8554 – Man in the middle using LoadBalancer or ExternalIPs
Attackers leveraging minimal RBAC permission to create and modify Kubernetes resources. This security issue enables an attacker to intercept traffic from other pods (or nodes) in the cluster if the attacker can create or edit services and pods.
CVE-2020-8559 – Kubernetes API server vulnerability. This security issue enables privilege escalation from a compromised node. This allows the attacker to direct specific commands to any pod in the cluster.
CVE-2020-14386 – Linux kernel exploit that enables an attacker to perform privilege escalation through unsecured processes, representing a Container Escape.
So, in retrospect, reviewing the top vulnerabilities depicts a clear picture that while Kubernetes adoption is still on the rise, its default security offering is simply not enough. DevOps and Security administrators are required to build a tactical approach based on Kubernetes security best practices when maintaining secure deployments and workloads.
There are several key security foundations to establish, including:
Identity and access management, authentication strategies.
Secure supply chain – using immutable artifacts, trusted image sources and private image registries.
Proper Secret management and reduced RBAC privileges – tuning the Kubernetes configuration files, limit access and permission for containers and pods across the CI\CD pipeline.
Security monitoring and enforcement – covering the relevant areas of concern in the Kubernetes infrastructure. Monitor network traffic and firing alerts when needed and use an AI-driven analysis tool for audit logs.
There are different approaches to secure cloud environments. Which is the more effective one in your opinion?
Understand and enforce the Shared Responsibility Model. For an organization, it is crucial to recognize and acknowledge clear boundaries for security responsibilities.
In other words, where the cloud provider’s responsibility ends, and where yours begins.
What is your security offering and how does it improve the security posture in the cloud?
Alcide is a Kubernetes security leader empowering DevOps teams to drive frictionless security guardrails to their CI/CD pipelines, and security teams to continuously secure and protect their growing Kubernetes deployments. Alcide enables smooth operations of business applications while protecting cloud deployments from known and unknown security threats.
The platform is specifically designed to provide end-to-end security for Kubernetes deployments and workloads while enabling the smooth operation of business applications. The platform and its capabilities were built to address modern requirements of both DevOps and Security teams while operating distributed Kubernetes workloads across multiple environments.
Seamlessly complementing many CSPM solutions, Alcide’s CWPP offers its Kubernetes security capabilities via three main modules:
kArt – Kubernetes Runtime detection and prevention
kAdvisor – Kubernetes Configuration Assessment and Compliance
kAudit – Kubernetes Audit Log Analysis
How will the market change in 2021, i.e. what security challenges do you foresee?
Kubernetes Takes Over as Telecom Services Backbone in 2021 – Cloud native developers will see that acceptance from telcos means Kubernetes is transforming from a cutting edge and experimental technology to an established platform that millions of telco customers are using daily with the expectation of 99.999% reliability. When mobile phone users access 5G networks, it will be likely their calls and data will be handled by infrastructure-agnostic containers orchestrated by Kubernetes. For cloud native developers, this means ecosystem contributors for Kubernetes will be more likely to make deeper and longer term commitments to supporting K8s and cloud native.
The interview was conducted by Friederike Zelke.
Alon Berger is a product marketing manager at Alcide, focusing on bridging between the company’s R&D department and the Marketing team. Right after graduating from his BSc in computer science, Alon set foot in the cyber security industry and gained experience in R&D operations management and DevSecOps methodologies. As part of Alcide’s team, and as a strong Kubernetes advocate himself, he aims for bridging the gap between Security and DevOps teams in their journey towards adopting Kubernetes and its relevant security aspects.