NSA, CISA guidance helps agencies minimize Kubernetes risks
The advent of containerized software services — and the emergence of Kubernetes to deploy and manage them – have played crucial roles in modernizing applications. But it has also unleashed a host of new opportunities for malicious actors to exploit misconfigurations and vulnerabilities inside these microservices, says Palo Alto Networks Senior Product Manager Paul Fox.
That’s why he says federal agencies should take a closer look at a new technical report, released by the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency, that provides detailed guidance on how to harden Kubernetes containers and avoid common misconfigurations.
“I’m impressed at how rapidly the federal agencies have adopted this technology. I personally encountered Docker, the precursor to Kubernetes, back at NIST in 2015. Then I encountered Kubernetes in 2017. Here we are in 2021 – it’s everywhere. Kubernetes has won the orchestration wars; it’s definitely a technology that’s here to stay,” he says in new podcast produced by FedScoop and underwritten by Palo Alto Network.
Fox credits NSA and CISA, however, for detailing multiple points of entry hackers are exploiting and the broader recommendations the report makes for hardening Kubernetes microservices.
“All of the recommendations are extremely important. But I think the pod security recommendations are the most important because the pod is where all the processing occurs within a Kubernetes cluster,” he says. A pod is a group of more or more virtual containers that share storage and network resources and contain specified running instructions.
“This is the most likely entry point for an attacker to gain access into that clustered environment and traverse to other points of interest,” he explains. These environments rely on images – or stored instances of containers, each of which holds a set of software needed to run an application. “Knowing how those images are going to behave as a pod within the environment is critical –(throughout) the build-ship-and-run phases.”
While the open-source foundation of Kubernetes makes it relatively straightforward to build and manage microservices, the biggest challenge for every organization “is going to be staffing – having the people with the knowledge and the capabilities to implement them securely… and manage these technologies across all these different cloud service providers,” he says.
Fox highlights several recommendations for overcoming those and other challenges during the podcast, including what agencies should look for when acquiring Kubernetes tools and capabilities.
He also touches on:
- The emergence of multiple commercial flavors of Kubernetes orchestration tools increasingly in use across federal agencies.
- The importance of keeping a continuous view of containers in operations, not just at a moment in time.
- The additional importance of that ensuring pods are never allowed to run as a “root” within a Kubernetes cluster.
Listen to the full podcast conversation on making Kubernetes more secure on FedScoop.com. And hear more of our coverage of “IT Modernization in Government” on. FedScoop’s podcast channels, wherever you get your podcasts.
Learn more about how Palo Alto Networks is helping government agencies optimize their security operations.
Paul Fox is senior product manager at Palo Alto Networks. He previously served as an IT specialist in the Executive Office of the President; worked as a senior consultant and architect at Microsoft; and was a solutions architect at Twistlock, a leader in container security, which Palo Alto Networks acquired in 2019.
This podcast was produced FedScoop and underwritten by Palo Alto Networks