It’s no secret that IT security has fundamentally changed over the past decade. The rise of new deployment technologies and architectures like containers and microservices, combined with the demand for continuous delivery chains and DevOps workflows, has made application delivery and deployment much more complex than it was ten years ago. By extension, the security challenges that IT organizations now face have grown significantly in number and complexity.
At first, many DevOps teams struggled to meet these challenges by attempting to shoehorn traditional security tools and strategies into microservices environments. Not surprisingly, that stopgap approach yielded unimpressive results. It required a great deal of manual effort on the part of DevOps teams, and it relied on security tools that simply can’t handle the complexity or rapid pace of change of modern environments.
There is a better approach. We call it Kube-native. In a Kube-native environment, DevOps teams use Kubernetes as the foundation not just of their infrastructure, but of all of the tasks, processes, and tooling required to keep that infrastructure healthy and secure.
Below, we define what Kube-native means, explain how it differs from conventional strategies, and provide an overview of best practices for a Kube-native security strategy. In future posts, we’ll dive deeper into the various aspects of the Kube-native concept.
Security in the modern world
Security has changed in three fundamental ways over the last ten years or so, as we’ve entered into the cloud-native, DevOps-oriented age. Let’s look at each main change.
Declarative, immutable infrastructure
The first change is that most infrastructure has shifted toward a declarative and immutable model. Instead of setting up infrastructure first, then configuring it manually to make it look the way we want, we write code that governs how infrastructure should behave, then automatically build infrastructure to conform with the code. Now, when infrastructure needs to be updated, we destroy the old infrastructure and replace it with new components rather than trying to update in place.
This means that security tools and strategies must support a declarative approach to infrastructure management, while also enforcing the principle of immutable infrastructure wherever possible.
Modern delivery chains
Many organizations have migrated to software delivery strategies oriented around continuous delivery of new releases and constant collaboration between developers and other stakeholders within the software delivery process.
Keeping continuous delivery chains flowing smoothly while still ensuring the security of code can be a challenge. The solution is to integrate security directly into the continuous delivery pipeline, ensure that developers can communicate seamlessly with other groups about security issues and embrace automation so that security testing is performed quickly and continuously, both pre- and post-deployment.
No more perimeters
Traditional security tools and strategies operated on the premise that workloads had a clearly defined perimeter, and that ensuring security was as simple as securing that perimeter.
That approach works if your workload sits neatly behind an on-premises firewall, with statically configured endpoints serving as interfaces with the public Internet. But it fails completely in cloud-native, containerized environments that are composed of multi-layered, dynamically configured networks and endpoints with no consistent perimeter.
In these environments, security demands a deeper level of control. It starts with defining how different resources (such as containers or pods) should be able to interact, then enforcing those configurations by detecting and remediating exceptions.
The role of Kubernetes in modern security
At first glance, Kubernetes, an open source container orchestrator, may not seem like the answer to the security challenges of the modern age. Kubernetes was built first and foremost to manage environments, not secure them.
Yet, although it is true that Kubernetes’s native security features are limited, adopting a deployment and management strategy based on Kubernetes does much to simplify the security challenges that DevOps teams face today.
That is true for several reasons. First, Kubernetes is designed to manage environments in a declarative and immutable way, which aligns well with security strategies that follow the same principles.
Second, Kubernetes can serve as a single management tool and source of truth across heterogeneous infrastructures. In this way, Kubernetes simplifies the security challenges that arise in complex multi-cloud or hybrid cloud environments. By abstracting the application environment away from underlying infrastructure, Kubernetes helps to simplify attack surfaces and intrusion detection.
Finally, Kubernetes is a modular framework that consists of many distinct components. Although different tools and strategies are necessary for securing each one, Kubernetes makes it easy to implement a multi-layered security strategy that addresses the various types of vulnerabilities that exist in the modern world.
A Kube-native security strategy, then, involves security tooling that integrates deeply with Kubernetes itself. The tooling relies on Kubernetes to gain visibility into application environments, audit policies, and enforce security rules.
In this way, a Kube-native strategy enables security as code. Rather than relying on separate security controls and tools that are grafted onto the infrastructure, Kube-native security integrates security directly into the infrastructure layer — Kubernetes — and operates according to the same declarative, immutable principles as the infrastructure.
With Kube-native security, you build security into your environment from the start. You don’t set up the environment and then try to secure it. Instead, you define security in a declarative way on day one, and you build containers, pods, namespaces, and deployments that reflect your declarations.
We believe that Kube-native security is the only truly scalable and holistic approach to managing the complexities of modern security. Stay tuned for deeper dives into the different tools and strategies associated with Kube-native security, as well as best practices for ensuring security in a Kubernetes-centric world.