When May rolls around (in just a couple of days now), I am
planning to appear for an Azure cert.
This is the most basic one, which is about the Azure Fundamentals. Technically it is known as the AZ-900. The one thing I have liked studying for this
is that I can get a traditional study book and learn that way. I don’t mind the online stuff as much, but I
am still old fashioned in a lot of ways.
I have learned a lot about Azure in these last few years I
have been studying, and one concept that has always eluded me was that of
“Kubernetes”. I always wondered what it
was, and I finally got my answer while I was reading my study book. But in technical terms, Kubernetes can be defined
as follows:
“It is an open-source system for automating deployment, scaling,
and management of containerized applications”.
(SOURCE: https://kubernetes.io/)
In much simpler terms, containers are another way of
deploying the software applications that you create on a Cloud based
platform. Groups of containers are
called “Pods”, and a group of Pods is called a “Node”.
Ok, enough blabbering on that. Unfortunately, despite all of the benefits
and advantages that it has to offer, it too is prone to Cyberattacks. But usually, it comes in the form of unknown
data leakages. If you want to do a deep
dive on the Cyber risks that are posed to Kubernetes, click on the link below:
https://www.darkreading.com/edge-articles/understanding-the-3-classes-of-kubernetes-risk
A major root of these risks has been the over privileging of
the end users. Most often, an employee
is given more rights and permissions than what they absolutely need, and once
they don’t need them anymore, the IT Security team very often forgets to bring
down the level of those permissions.
This concept falls under the area of Cyber which is known as
“Identity and Access Management”, or also known as “IAM” for short.
So as you can tell, this is the area in which the IT
Security team has to start in order to help mitigate the risks that are posed
to Kubernetes. So what is a good
starting point? Check out the list
below:
1)
Take a look at all of the end user profiles:
If you make use of Azure, and also
if your company is large enough in terms of the total number of employees it
has, you are probably making use of the “Azure Active Directory”, also known as
the “AAD” for short. This is where you
manage the profiles of all of your employees when you give them the resources
that they need to access in order to complete their jobs. But very often, blanket permissions are
granted. Meaning, if a certain group of
employees fall into one profile, they are all given the same permissions and
privileges as everybody else in that profile.
And this very often results in the problem of over privileging. For example, if you hire somebody to contract
work on your network, you will likely give them the same set of permissions as
you would your network administrator. But
this is overkill. You only need to give
them what they need. This is referred to
technically as giving out granular permissions, because you are digging into the
details of what they will be doing exactly.
Many companies shy away from doing this because it takes too much time
to do. Instead, the thinking is that it
is easier to lump employees into one common bucket. This does make sense from the outset, but later
on, it becomes a huge problem as you can see.
So IMHO, CISOs need to get out of this habitual way of working and take
the time to see what each employee really needs.
2)
The Concept of Least Privilege:
As the name states, this is where
you are giving employees just enough access to do what they need to do, as just
examined. For example, if you have just
hired a brand-new administrative assistant, you will only give him or her what
they need for their job. Obviously, you
are not going to give them the level of access that you would give to your IT
Security team. This has always been a
theoretical, cardinal rule in Cyber, but many companies still fail to implement
it, for just about any kind of reason that you can think of. But you should not be a statistic here, take
the time to review on a regular basis all of the permissions that each and
every employee needs, and from there, keep refining your security policy.
My Thoughts On This:
An area in which you can get started to help you govern the
IAM part of Kubernetes is to use a subfield of it, which is known as
“Privileged Access Management”, or “PAM” for short. You can use the tools here to specifically
manage all of the rights, permissions, and privileges that you assign to each
and every employee.
But probably one of the best things about using PAM is that
you can configure rules and policies that will allow you to automatically
delete the rights and permissions of an employee, just right after they leave
your company, no matter what the reason might be.
There are numerous vendors out there that offer this
solution, so it might be best to check them out first and try to watch a demo
or two of it.
That way, you will get a good feeling if this is something
that your company needs. But in the
meantime, if you want to learn more about PAM, buy our recently published eBook
on it. The link is right here:
https://www.amazon.com/dp/B0BX1QZH7G
No comments:
Post a Comment