Red Hat’s Chris Jenkins on Upping Security with Containers
In an era where digital transformation is reshaping industries, organisations are increasingly turning to containerisation and Kubernetes to streamline their application development and deployment processes.
However, this shift brings with it new security challenges that businesses must address. Image security, runtime security issues, dangerous misconfigurations; challenges in managing secrets and network security all pose a risk.
Yet, how can companies take onboard the benefits of using containers while minimising risks? To find out more, Cyber Magazine spoke with Chris Jenkins, Principal Chief Architect at Red Hat, about laying the foundations for stronger cyber defences with containers.
- With over 30 years of distinguished experience in the technology industry, Chris is a trailblazer known for crafting robust security frameworks that fortify organisations against evolving cyber threats while ensuring business continuity and growth.
Kubernetes, often abbreviated as K8s, is an open-source platform designed to automate the deployment, scaling, and management of containerised applications.
It groups containers that make up an application into logical units for easy management and discovery. Kubernetes has become the de facto standard for container orchestration due to its flexibility and robust feature set.
The adoption of these technologies has skyrocketed in recent years, with organisations leveraging them to improve efficiency, scalability, and consistency across development and production environments. However, this shift also brings new security challenges.
The latest State of Kubernetes Security Report from Red Hat revealed a stark reality: nearly all organisations worldwide experienced at least one container or Kubernetes security incident in the past year, with 46% losing revenue or customers as a result. These statistics underscore the critical need for robust security measures in containerised environments.
"Kubernetes has proved itself to be a 'game changer' when it comes to application development and deployment, but as with all modern technology platforms, there are a lot of complex moving parts," Christopher says. "The risks in a containerised environment are different to those presented in traditional platforms such as virtual machines and these need to be understood by security professionals within organisations."
Containerised security concerns
"Organisations can take a number of steps to best protect their containerised environment including (but not limited to): RBAC: Ensuring correct Role-Based Access Controls (RBAC) for restricting user permissions," Christopher explains. "Misconfigured RBAC can lead to excessive permissions for users or services, increasing the risk of privilege escalation."
This emphasis on RBAC highlights the importance of implementing granular access controls to prevent unauthorised access and potential security breaches.
Equally, with Pod-to-Pod Communication, all pods in a Kubernetes cluster can communicate with each other. Without proper network policies, malicious or compromised pods can intercept or manipulate traffic.
"Red Hat OpenShift can be configured with Network Policies to explicitly define network paths thus limiting network exposure," he continues.
This point underscores the need for careful network configuration to prevent potential lateral movement within a cluster in case of a breach.
Another crucial aspect Christopher highlights is the risk of running privileged containers. "Containers running with privileged access can break out of the container isolation and affect the host system. This can be mitigated by using container security tooling such as Red Hat Advanced Cluster Security which can deny the deployment of privileged containers."
While these risks are significant, containerisation contained many security advantages too. By architectural definition, containers present a lower attack surface than traditional virtual machines.
The containers are typically based on Universal Base Images (UBIs) which only contain the packages and libraries required to run the application. This means that there are no extraneous packages within the container which leads to less possibility of common vulnerabilities and exposures (CVEs) being introduced into the environment.
This reduced attack surface is a key benefit of containerisation from a security perspective, but Christopher cautions that it's not just about the containers themselves: "Containers are just one potential risk - the underlying orchestration platform should also be hardened, patched and monitored in an automatic fashion to ensure compliance requirements."
When it comes to securing containerised environments in the public cloud, Christopher emphasises the importance of consistency and flexibility: "Platforms such as Red Hat OpenShift can be run in private, hybrid and public cloud environments with very similar configurations. Having the ability to deploy, and migrate containers between environments can provide better operational resilience (reducing concentration risk) while also giving the capability to apply data segregation for sensitive data."
This approach allows organisations to maintain strong security practices across diverse environments while also enabling them to strategically manage data based on sensitivity.
Securing containers' continued use
Looking to the future, containers are set to play an increasingly important role in cybersecurity.
"The use of Kubernetes isn't currently showing any sign of slowing down," Christopher states. "Containerised applications running in a hardened platform can provide a 'defence in depth' approach to security, allowing controls to be applied at each layer of the environment such as infrastructure, network, data, access controls, monitoring and compliance management."
However, the security issues highlights the need for balance between innovation and security. Development teams may want to utilise the tools available to them but this should be tempered and risk management processes should be in place to identify any potential threats.
Christopher advocates promoting a culture of DevSecOps to help limit exposures by having the development, with security and operations teams working in harmony to reduce risk in the organisation without stifling innovation.
Yet as organisations navigate the complex landscape of containerisation and cloud computing, businesses should strive to understand the unique security challenges, not only the opportunities, presented by containers in order to harness their power while maintaining robust protection.
******
Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
******
Cyber Magazine is a BizClik brand