“Zero Trust” Approaches to run-time Kubernetes Security
While the concept of Zero Trust is not new, it has become a strategic imperative in the post-SolarWinds breach world we live in.
The following article outlines key concepts involved in Zero Trust Cloud Security. This article covers the “Why” and “What”; a subsequent article will cover the implementation aspects — “How”.
Google and other Cloud Native tech companies have made immense contributions in the area of Containers, Container orchestration platforms, Kubernetes, etc. These have delivered immense computation efficiencies. However, since containers are highly ephemeral and transient, securing containers at a run time efficiently is very challenging. In addition, the scale of modern container platforms makes for a daunting problem. [Reference 1: Netflix launches 500,000 containers and 200,000 clusters/day]. Traditional approaches of securing server environments (like IPTables) are either not scalable or are highly inefficient for securing large scale Kubernetes production workloads.
Large scale, mission-critical container assets are fertile grounds for attacks by threat actors. The following are some recent highly publicized container attacks. As is the case with Cyberattacks, a vast majority goes unreported and hence the actual breaches are an order of magnitude greater.
While perimeter defences (Firewalls, WAF) do a great job of protecting ingress/egress traffic inter container security is rarely enforced. Given that North-South traffic makes up only 17% of the traffic; the bulk of the traffic (~83%) remains prone to multiple attack vectors. The scale, magnitude, and ephemeral nature of these containers further exacerbates the problem.
Hence it is not entirely surprising that leading research analysts have outlined this as an area that requires concerted attention.
“Container usage for production deployments in enterprises is still constrained by concerns regarding security, monitoring, data management and networking.” — Gartner, Best Practices for Running Containers and Kubernetes in Production, August 4, 2020.
“Container adoption is increasing, and security must come along for the ride. Organizations value the scalability and agility that containers offer, but containers introduce new security challenges that can’t be addressed with traditional security and networking tools. Commonly accepted security tools like vulnerability scanners, network forensics, and endpoint detection and response (EDR) are too heavyweight for a container environment. Security pros need cloud-native tools that are purpose-built for high scale, lightweight, ephemeral container environments.” — Best Practices For Container Security, Forrester Research, July 24, 2020.
Zero Trust was coined by Forrester Analyst, John Kindervag who outlined the following tenets:
1. The network is always assumed to be hostile
2. Assume threat actors are already inside your network
3. Network locality (segmentation) is not sufficient for deciding trust in a network
4. Every device, user and network flow is authenticated and authorized
5. Policies must be dynamic and calculated from as many sources of data as possible
6. The device is no longer the border. A user/service’ identity is the net border
7. Containers, serverless and cloud are the new disruptors of traditional security architecture
Google further lent considerable credibility to this initiative by pioneering their BeyondCorp initiative. “Unlike the traditional perimeter security model, BeyondCorp dispels the notion of network segmentation as the primary mechanism for protecting sensitive resources. Instead, all applications are deployed to the public Internet, accessible through a user and device-centric authentication and authorization workflow”.
Given the recent SolarWinds breach, NSA has advised organizations to embrace the Zero Trust Security Model.
Identity — The New Perimeter
In the ephemeral and transient world of micro-services (containers, Kubernetes) where IP addresses are ever-changing, and consequently IPTables based security policies don’t scale, it is imperative that a Security Architecture where Identity (user and service) serves as the foundational element to enforce security.
The implications of Zero Trust as applied to Kubernetes is far-reaching and has an impact on how Private and Public Cloud Workloads are secured. Given that Zero Trust requires the least privilege, “deny all”, “whitelist by design” approach to ensuring robust security, and static container scanning tools cannot prevent “zero-day” attacks, some of the architectural principles include:
1. Leverage User and Service Identity as security perimeter gates.
2. A robust and comprehensive policy management layer to map business rules and governance standards into the system
3. Continuous monitoring to detect anomalies
A variant of President Reagan’s maxim “Trust but verify” is apropos in the Zero Trust world “Verify.. then trust.. continuously verify”
 “Netflix’s Container Management System Is Now Open Source”, Data Center Knowledge, April 2018
 Kurt Marko, “Use a zero-trust model for container security in the cloud”, TechTarget, May 15, 2020.
 Dan Hitchcock, Evolution of Information Security, blog
 National Security Agency (NSA) — Embracing the Zero Trust Security Model