Audio transcript:
Deciphering Common Misconceptions about Security Across Kubernetes
Erin
Hello, and thank you for joining us for another "Insight Tech Talk." My name is Erin Hazen, and I'm a client solutions executive here at Insight. Excited to talk with allo f you today about deciphering common misconceptions about security across Kubernetes. Now to help us understand more about this topic, I am thrilled to be joined today by Alan Epps, SUSE partner sales engineer. Welcome, Alan!
Alan
Hi! Nice to be here.
Erin
Thanks so much for being here. So, we know that containers are transforming how organizations deploy and use applications and securing your organization's, containerized deployments means looking beyond assumptions and asking the hard questions about Kubernetes security. Are you really doing enough to secure your container environment with baseline, out-of-the-box security that comes with Kubernetes and or do you have the network visibility and protection needed to keep ahead of the ever-growing attack surface of container environments? Now with Kubernetes, we know that organizations can modernize replacing their legacy, monolithic infrastructures with new, lightweight, efficient and agile container workloads. This provides developers the foundation to build, automate and ship applications faster and more reliably than ever before. But as organizations continue to implement Kubernetes, the challenges and risks of security continue to grow. So, let's review some of these common misconceptions around container security and what that means for organizations and then at the end of this conversation, we'll come to have a really good understanding of how SUSE Solutions can help. Does that sound good, Alan?
Alan
Sounds perfect. Let's go.
Erin
Okay, great. So let's get started here, Alan. Does my Kubernetes platform offer adequate, container workload protection?
Alan
Kubernetes is awesome, don't get me wrong, but it's not a security platform. That's not its core functionality, right? It's an orchestration platform. So while it does have security features in it, it doesn't have everything to protect against exploits in zero days built in and it's really made up of the four Cs, right? You've got the cloud itself, the cluster, the container that lives in the cluster and then the code that runs on the container. The cloud is completely separate if it's offsite or hyper scaler, and it's completely out of your control. So they have a nice crunchy outer wrapper around it, but everything inside that is completely up to the company doing the implementation. So that's where the security lives from the customer standpoint.
Erin
Right, and maybe this is something that people don't really take into account or don't really have a great clear picture of, which is why I'm super excited we're talking about this today just to open people's eyes a little bit about maybe the gaps that they're missing. So next question for you then is, does combining traditional security tools like firewalls and IDS, IPS with Kubernetes's built-in, network security adequately protect against network attacks on containers?
Alan
It's a good solid start, right? Again, security is always layers in-depth. You want each layer to be different than the one above it, and you want each layer to have slightly different features that complement each other. Traditional security tools as well as the built-in Kubernetes network policies are blind, unfortunately, to the network attacks and they don't provide state-of-the-art protection out of the hop, such as application, segmentation in the layer seven and all the rest. So, there's more stuff that needs to be done beyond what Kubernetes has built in and Kubernetes doesn't, by definition, take and differentiate the North South traffic, i.e. the ingress and egress traffic versus the East West traffic between containers. So both streams of communication need to be secured and it's not something that out of the gate is usually clickable and you're ready to rock kind of change.
Erin
Right. So we're getting there. It's kind of close, but I mean like, close and super far away are pretty big differentiators when you're talking about security like,
Alan
Absolutely.
Erin
We need to be right on there, right? So I guess maybe another sort of layer of vulnerability to talk about is like, scanning images. So is scanning images, containers, pods and production nodes for vulnerabilities enough?
Alan
No. I mean, it's critical. It's crucial. It's absolutely best practice. But again, if you're not understanding what that traffic looks like in and out as well as back and forth, that's where the largest vulnerability is because again, that's going to be your attack vector, right? People in general aren't hacking your source code. They're actually hacking your network coming in or once they're inside. So while the traditional tools are there, they don't cover the state of the protections you really, really need.
Erin
And bad actors, they probably know this, right?
Alan
Absolutely.
Erin
They know it.
Alan
And the zero-day thing is real, right? Without understanding how your network functions, if somebody compromises your network with a zero-day, how do you know, right? You need additional tools beyond what's built in.
Erin
Totally. No, this makes total sense for sure. And it's important that we know this so that we can get ahead of it and, you know, our organizations can be prepared. So I guess maybe one more question around just sort of like, what is enough is by using a public cloud provider, are containers secure enough? Kind of a tricky one.
Alan
Not really, right? Because if you read their terms and conditions, all the public cloud providers say you're responsible for your own security, right?
Erin
Correct, right.
Alan
Again, they provide that crunchy outer wrapper but they don't deal with the internals at all. So the portion that's needed just to be secured by the company is those inner three Cs that I talked about, right?
Erin
Right.
Alan
The code piece is kind of separate. That's not really the subject of this because that's an entire whole different school of how to write secure code. But the containers themselves and the nodes that they run on, that is definitely the place that needs additional work. And that portion is something that lives in a mindset specific within the company, right? As you're deploying that infrastructure, that's where you need to add that security.
Erin
And I wonder, so maybe just to go off script a tiny bit here, Alan, like how often do you see clients who think that they have enough and it's just because they have not had that, you know, purview into the deeper layers?
Alan
Regularly, right? And it's like everything in security, it's a cost. And until you're smacked with it, most companies are like, "Well, I've taken basic steps. "But they don't really go all the way through and that's why we find out about these hacks after the fact, right, whether it's the credit card industry or the government or where have you. Every business regardless of its structure has these challenges and every business always needs more security than they think they do.
Erin
I love that you are giving us like, the windshield view and not that rear view mirror view, right? Because we all have that hindsight 2020 thing where we're like, we should have would have, but now we're really taking the steps to make sure that organizations are prepared. So speaking of that, what tools are available from SUSE to help technology leaders and their teams ensure that they are equipped to tackle these challenges around container security with confidence?
Alan
So the biggest tool that we've got is a tool called New Vector. It offers a view of that North South traffic as well as East West and it takes that traffic as the source of truth when it builds the rule set, right? So it's not the rules that Susie and Larry and Tina and Gary remember that they need to implement. It actually looks at what the network traffic's doing and then builds its rule set based off of that. As a consequence, it is truly zero trust. There's no, I have to assume that this person knows what they're talking about. It is totally based off of what it sees and because of that, we're enabling organizations to stay agile. They can continue to modify their code as they need. New Vector will modify itself based on the patterns it's supposed to see when you turn it into training mode, but it'll also change itself based on the patterns it actually sees, not just what you assume but what it really sees. And then by instantiating those policies into the code as it's deployed, it stays secure moving forward. It's the most comprehensive offering on the market today for Kubernetes. It's actually 100% open source. There's patented technology and we open source the patents so it's available to people to understand how it works. It's available to people to come down and pull it down, but everything we do is community driven. So as people find new needs and as people have new wants, they feed that back into the community that then gets rolled back into the tool.
Erin
I really love that because I feel like, you know, sort of that open source conversational relationship that you're having with developers is only going to allow us to better understand the needs and better develop and better iterate, right?
Alan
Absolutely. That's the entire Linux world way, right, is everybody learns new,
Erin
Yeah.
Alan
Feeds back in, open sources everything so additional people can build off it's because we're all stronger together. We all rise up together.
Erin
Totally. And no one can defeat sort of the security challenges alone. I feel like this has to be something that everybody's working on together, right? And so the new vector solution from SUSE is something that would be all encompassing and allow for that, correct?
Alan
Yes, as long as it's a part of that layered in-depth process, right? Because security's always going to be that series of layers and New Vector's an additional layer, the big key is it's doing something that no other tool out there does, which is securing and understanding that traffic, East West, North South, without relying on somebody's memory, but actually on the traffic flow that's really truly happening.
Erin
And what a relief because then you don't have to rely, like you said, on somebody with that knowledge. And the way that the industry is with people moving and shifting, you want to make sure your organization is always secure. Correct?
Alan
Absolutely. Absolutely.
Erin
Awesome, awesome. This has been so interesting to learn, Alan, and an exceptional learning opportunity for all of our viewers, bringing awareness and sharing solutions for these potential security gaps that our viewers and organizations might need to look into. So thank you so much for sharing your knowledge.
Alan
Thank you for the time, Erin. I really appreciate it.
Erin
Thank you so much for your insights today, Alan. This has been an exceptional learning opportunity and thank you for bringing awareness and sharing solutions for potential security gaps that our viewers may need to look into. And you can certainly learn more about the solutions available from SUSE by visiting insight.com. And you can find a link to the SUSE partner page in today's show notes. And while you're there, make sure that you subscribe to our digital magazine, The Tech Journal, where you will find more inspiration and insights on the future of business and technology. My name is Erin Hazen and on behalf of Alan and I and Insight, thank you so much for your time today.