Containerised applications and Kubernetes infrastructures are increasingly becoming the focus of attackers. However, conventional security products cannot adequately protect these highly dynamic environments from growing risks.
In order to proactively counter the new threat situation, more and more companies are therefore opting for a zero-trust strategy. This security concept assumes that users, applications, networks, servers, services and APIs - whether internal or external - cannot be trusted until proven otherwise.
How can the Zero Trust principle be applied in a container environment? Holger Moenius will talk about this in his presentation.
In his view, five measures are particularly important:
1. Protect the entire container supply chain.
To protect the entire supply chain from threats, IT departments must ensure that all components - including the Kubernetes software itself - come from trusted sources. Before container images are deployed in an environment, they should therefore go through a comprehensive verification process. Only with verified images can you ensure that your clusters are not compromised by compromised containers or malicious code.
2. Eliminate sources of error through automation
In highly dynamic Kubernetes environments, it is important to automate the protection measures as much as possible. An important tool for this is Custom Resource Definitions (CRDs), for example. DevOps teams can use them to declare the permissible behaviour of their container workloads, which is then automatically monitored in a production environment.
3.Identify vulnerabilities through regular vulnerability scans.
There are now a variety of solutions for vulnerability management in the container environment. Automated tools provide a quick overview of known vulnerabilities in real time and give recommendations on how to fix them. Anomaly-based methods are also able to detect new vulnerabilities that are exploited by attackers. With virtual patch functions, IT departments can also reliably block these zero-day exploits.
4. Control container communication through segmentation.
Container segmentation in Kubernetes clusters ensures that only authorised communication between applications is allowed and unauthorised communication is consistently restricted. This makes it easier to prevent unauthorised access and enforce individual security policies for different groups of applications.
5. Allocate access rights according to the least privilege principle.
Role Based Access Control (RBAC) in Kubernetes environments ensures that users can only perform the actions for which they are authorised. Always be restrictive when assigning access rights and limit access to the data and resources that are actually needed for the task at hand.
Container environments can only be protected against growing cyber risks with largely automated security architectures. A solution developed precisely for this purpose is NeuVector Prime. The container security platform integrates various key technologies such as zero-trust security, WAF and CVE scans to automatically secure the entire container pipeline from creation to delivery to execution.
NeuVector Prime also helps organisations meet compliance guidelines when moving to Kubernetes and cloud-native infrastructures. To simplify reporting for audits, NeuVector Prime offers pre-configured, customisable reports for PCI, DSGVO, HIPAA and NIST compliance. This enables compliance out-of-the-box in the container environment.
Further information: https://www.suse.com/products/neuvector/