The story so far
As there is a renewed emphasis to apply zero-trust principles to Kubernetes, we need to understand that it’s not a new principle, and it has been there since a while. In the early 2000s, the concept of “de-perimetrization of network resources” was advanced in the UK. It suggested that organizations should stop relying on the perimeter controls like network firewall for securing their applications & systems. Instead, they should arrange for securing each system & directly accessing them.
In the year 2014, Google published “BeyondCorp: A New Approach to Enterprise Security,” – it similarly looked at how enterprises can move away from network security and ensure that users & application can ensure that callers were properly authenticated & authorized. Now we have this memo from the US government “Moving the U.S. Government Towards Zero Trust Cybersecurity Principles” – this again recommends that organizations should not depend on the network perimeter to protect their important data & systems.
Do an assessment of your Azure cloud security.
Have you secured your Azure cloud environment? If you are uncertain, let our security professionals audit & secure your Azure environment.
Applying zero-trust principles to Kubernetes
Now that we have a goal – reducing reliance on network perimeter controls – what are the practical steps that organizations can take to introduce zero-trust concepts into Kubernetes environment?
At first we need to look at the container network. By default, every Kubernetes cluster provides a flat network wherein every container can communicate directly with every other container without any restrictions. This type of container network is always treated as a “trusted” network by the applications running in it, and the services don’t require any authentication for requests which originate from within the network. Let’s say we have a range of services connected to a cluster network which can access each other at network level. How can its security be improved? We can do so by enabling Kubernetes network policies to apply default rules to both ingress & egress traffic in the cluster. Since network policies apply to workloads based on logical parameters, it can be ensured that only related workloads can communicate with each other.
There’s another aspect to zero-trust Kubernetes that has to be accounted for as well, this is user-to-cluster communications. Since Kubernetes does not have a provision of production-grade authentication option, external solutions will be needed to fully realize a zero-trust vision. One option would be service mesh, where user access effectively goes through some kind of proxy service before hitting the Kubernetes API, where that proxy can put controls based on things like device posture & request sensitivity.
It is obvious that way for most organizations is towards adopting a zero-trust approach to organizational network security. The old days when many organizations took a hardened perimeter approach with a soft interior are numbered. However, this is going to be a long process. ISmile Technologies helps you to increase the speed of your innovation for tremendous advantage with our end-to-end solutions. Being veterans in the DevOps & Kubernetes, we leverage our years of hands-on experience to offer you out-of-the-box solutions to meet your business needs. At ISmile Technologies we see DevOps as a no-touch CI/CD driven software delivery approach. An approach that believes that an integrated delivery function from requirements to production will give higher business value to customers. We help you reimagine cloud security by building it into the foundation of your company, it can meet your businesses’ needs as a fully managed as-a-service model ensuring seamless compliance & security.