DEVOPSdigest

Just like health in humans where both nature (e.g., your genetic traits) and nurture (e.g., diet and exercise) play an important role; a healthy Kubernetes deployment too needs to have the right start with secure foundations, as well as secure operational practices to keep your clusters running. However, accidents do occur, and things go wrong unexpectedly, so it is critical to invest in an insurance policy with Kubernetes data protection.

Going to the Gym – Secure Operations

A recent report from the NSA provides a Kubernetes Hardening Guide(link is external) that is a good example of best practices that serve as a defense against supply chain risks, malicious actors as well as insider threats.

Security hygiene practices of container scanning, encrypting data, segmenting networks, etc. are highlighted well in this guide. Implementing and adhering to these processes starts with organizations understanding the unique risks and challenges that come with securing Kubernetes clusters.

Old methods and tools that relied on securing perimeters and firewalls do not work in this growing cloud-native environment, so it is critical to invest in educating and retooling. Cloud-native applications, built as microservices employ a variety of open-source modules and are deployed in distributed environments, obsoleting the traditional notions of static IP address-based security and enforcement rules.

Building your DNA – Secure Foundations

What the NSA report doesn't cover though is that with the adoption of "Shift Left" principles, not only is security a shared responsibility, but we now also have very capable tools to embed security constructs and polices very early in the software development life cycle. Cloud-native development IDEs now make it a snap to incorporate the best security practices early. For e.g., Right at development time, when creating an object storage bucket, the developer can be auto reminded to ensure that the encryption options are turned on.

The Kubernetes community is also innovating with new constructs that make Policy-as-code easy to author and enforce without being locked into a single vendor solution. For e.g., using policy language authoring and enforcement tools, you can associate a backup policy as a pre-cursor to a stateful application being deployed into production. Kubernetes admission controllers can detect and enforce these policies with mutating web hooks. This follows the principle of security being a shared responsibility. Organizations that build these strong foundations upfront, will not find themselves in a potentially disastrous situation of production applications without backup policies handling mission critical data at run time.

Don't Forget Insurance – Kubernetes Backup and DR

As the deployment of Kubernetes applications increase in scale, so have the attacks from malicious actors. As an example, ransomware is a serious problem for enterprises and is now even expanding to the mid-market segment as this WSJ article(link is external) highlights.

Organizations need to plan for these disruptions and invest in the right data protection tools. Just like the old perimeter-based approaches don't work in securing Kubernetes, similarly traditional hypervisor-based tools don't work for data protection. Invest and operationalize in the right Kubernetes-native solution that accommodates high-velocity application development cycles with distributed deployment where the infrastructure is abstracted away.

Follow these principles, and there is no reason why your Kubernetes applications will not have a long and health life!