Saturday, April 29, 2023

Two Golden Ways To Cyber Harden Your Kubernetes Platform

 


When May rolls around (in just a couple of days now), I am planning to appear for an Azure cert.  This is the most basic one, which is about the Azure Fundamentals.  Technically it is known as the AZ-900.  The one thing I have liked studying for this is that I can get a traditional study book and learn that way.  I don’t mind the online stuff as much, but I am still old fashioned in a lot of ways.

I have learned a lot about Azure in these last few years I have been studying, and one concept that has always eluded me was that of “Kubernetes”.  I always wondered what it was, and I finally got my answer while I was reading my study book.  But in technical terms, Kubernetes can be defined as follows:

“It is an open-source system for automating deployment, scaling, and management of containerized applications”.

(SOURCE:  https://kubernetes.io/)

In much simpler terms, containers are another way of deploying the software applications that you create on a Cloud based platform.  Groups of containers are called “Pods”, and a group of Pods is called a “Node”. 

Ok, enough blabbering on that.  Unfortunately, despite all of the benefits and advantages that it has to offer, it too is prone to Cyberattacks.  But usually, it comes in the form of unknown data leakages.  If you want to do a deep dive on the Cyber risks that are posed to Kubernetes, click on the link below:

https://www.darkreading.com/edge-articles/understanding-the-3-classes-of-kubernetes-risk

A major root of these risks has been the over privileging of the end users.  Most often, an employee is given more rights and permissions than what they absolutely need, and once they don’t need them anymore, the IT Security team very often forgets to bring down the level of those permissions. 

This concept falls under the area of Cyber which is known as “Identity and Access Management”, or also known as “IAM” for short.

So as you can tell, this is the area in which the IT Security team has to start in order to help mitigate the risks that are posed to Kubernetes.  So what is a good starting point?  Check out the list below:

1)     Take a look at all of the end user profiles:

If you make use of Azure, and also if your company is large enough in terms of the total number of employees it has, you are probably making use of the “Azure Active Directory”, also known as the “AAD” for short.  This is where you manage the profiles of all of your employees when you give them the resources that they need to access in order to complete their jobs.  But very often, blanket permissions are granted.  Meaning, if a certain group of employees fall into one profile, they are all given the same permissions and privileges as everybody else in that profile.  And this very often results in the problem of over privileging.  For example, if you hire somebody to contract work on your network, you will likely give them the same set of permissions as you would your network administrator.  But this is overkill.  You only need to give them what they need.  This is referred to technically as giving out granular permissions, because you are digging into the details of what they will be doing exactly.  Many companies shy away from doing this because it takes too much time to do.  Instead, the thinking is that it is easier to lump employees into one common bucket.  This does make sense from the outset, but later on, it becomes a huge problem as you can see.  So IMHO, CISOs need to get out of this habitual way of working and take the time to see what each employee really needs.

2)     The Concept of Least Privilege:

As the name states, this is where you are giving employees just enough access to do what they need to do, as just examined.  For example, if you have just hired a brand-new administrative assistant, you will only give him or her what they need for their job.  Obviously, you are not going to give them the level of access that you would give to your IT Security team.  This has always been a theoretical, cardinal rule in Cyber, but many companies still fail to implement it, for just about any kind of reason that you can think of.  But you should not be a statistic here, take the time to review on a regular basis all of the permissions that each and every employee needs, and from there, keep refining your security policy.

My Thoughts On This:

An area in which you can get started to help you govern the IAM part of Kubernetes is to use a subfield of it, which is known as “Privileged Access Management”, or “PAM” for short.  You can use the tools here to specifically manage all of the rights, permissions, and privileges that you assign to each and every employee.

But probably one of the best things about using PAM is that you can configure rules and policies that will allow you to automatically delete the rights and permissions of an employee, just right after they leave your company, no matter what the reason might be. 

There are numerous vendors out there that offer this solution, so it might be best to check them out first and try to watch a demo or two of it.

That way, you will get a good feeling if this is something that your company needs.  But in the meantime, if you want to learn more about PAM, buy our recently published eBook on it.  The link is right here:

https://www.amazon.com/dp/B0BX1QZH7G

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...