KCSA Blogs

Overview of Cloud Native Security

Rohit Pagote's photo
Rohit Pagote
·

10 min read

Table of contents

4 C’s of Cloud Native Security

  • Code

  • Container

  • Cluster

  • Cloud

Cloud Provider Security Capabilities

  • Today's cloud providers, such as AWS, GCP, and Azure, offer a multitude of capabilities to enhance cloud security.

  • Each of these cloud providers provide their own special tools and features aimed at keeping your cloud space safe.

  • Despite their differences, they all focus on one key goal: making sure your data and apps are secure in the cloud.

  • Azure, AWS, and Google Cloud Platform (GCP) each have their own set of tools aimed at improving the security of their platforms.

  • By looking at how they handle important security features like threat detection, application firewalls, and container security, we can understand how these providers protect user data and applications in a rapidly changing environment.

Threat Management and Response Techniques

  • Azure's Microsoft Sentinel is a powerful tool that combines SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) capabilities. This means it can not only detect security threats but also automatically deal with them.

  • AWS offers Amazon GuardDuty, a service that uses machine learning to continuously monitor and detect potential security issues without needing specific rules set by users.

  • GCP’s Security Command Center is similar, offering a central place to monitor threats, manage assets, and check the security health of Google Cloud services.

Web Application Firewalls (WAF)

  • To protect web applications from common attacks, each cloud provider offers a strong firewall solution.

  • Azure’s Web Application Firewall (WAF) on its Application Gateway defends against top threats like SQL injections and XSS (Cross-Site Scripting) attacks.

  • AWS’s WAF allows users to create custom rules to stop these threats and manage traffic, which can be linked to both AWS CloudFront and Load Balancers. '

  • GCP’s Google Cloud Armor provides similar protections, with rules that guard against DDoS attacks and other common web vulnerabilities.

Container Security

  • With the popularity of containerization, Azure Kubernetes Service (AKS) and AWS Elastic Kubernetes Service (EKS) both focus on keeping containerized applications secure.

  • Azure ensures security is built into AKS from the start, while AWS’s EKS uses a special operating system called Bottlerocket, designed for container security and performance.

  • AWS also uses kube-bench to ensure it meets CIS (Center for Internet Security) benchmarks.

  • GCP’s Google Kubernetes Engine (GKE) not only secures containers but also enforces security policies through integration with Google’s Anthos and the Open Policy Agent (OPA), aligning with security standards.

Shared Responsibility Model

  • Shared Responsibility model outlines what's on your plate and what falls to your cloud provider.

  • Cloud provider, like Azure, handles the security of the physical infrastructure - the hardware itself.

    That means the servers running Azure services are not your headache.

  • But here's where your role kicks in: if it's something you can tweak or set up through your cloud interface, like network or firewall settings for your virtual machines, that's your territory.

  • Think of it this way: if you can't physically touch it, it's probably the provider's responsibility. But if you can log in and make changes, like adjusting network configurations, that's definitely in your court.

Infrastructure Security

  • Infrastructure security encompasses everything from network configurations and server hardening to preventing unauthorized access and data breaches.

  • Server hardening refers to a series of steps taken to enhance the security of the server infrastructure by reducing vulnerabilities in its setup.

  1. Isolate critical applications on separate servers for better security.

  2. Restrict Docker port access with firewall rules and policies.

  3. Apply least privilege to containers and secure Kubernetes dashboard.

  4. Store sensitive data securely using Kubernetes secrets and RBAC.

  5. Encrypt etcd data and use TLS authentication for protection.

Kubernetes Isolation Techniques

  • Let’s say you have Prod, Test and Dev versions of applications hosted on Kubernetes cluster.

  • You don’t want an attacker having access to dev or test environments, ultimately gaining access to prod environment.

  • To prevent this, we can isolate the environments.

Namespace Separation

  • By Creating separate namespaces, we can contain the attack to the dev namespace, preventing the attacker from accessing the test or prod environments.

  • So now any issues in the dev are contained within the dev namespace, protecting test and prod.

  • Namespaces also helps in managing resources for multiple teams or environments, known as multi-tenancy.

  • In a multi-tenant setup, different teams or projects can use the same cluster, without interfering with each other and each team or project gets its own namespace.

Network Policies

  • Now that we have separated the namespaces, we need to control the communication between these components using Network Policy.

  • Network Policy allow us to define rules that specify which components can talk to each other.

  • By default, Kubernetes pods are non-isolated; they accept traffic from any source.

  • Network policies are used to enforce traffic rules between pods within a namespace or between different namespaces.

Role Based Access Control (RBAC)

  • RBAC is a method of regulating access to computer or network resources based on the roles of individual users.

  • In Kubernetes, RBAC policies are crucial for controlling who can access the Kubernetes API and what actions they can perform on resources.

  • Additionally, in a multi-tenant setup, role-based access controls ensures that each team can only access their own resources.

Resource Quotas and Limits

  • Resource quotas and limits ensures that each component gets a fair share of resources and prevents any single component from monopolizing the cluster resources.

  • The resource quota is the total available resources for a particular namespace, while limit range is used to assign limits for containers running inside the namespace.

  • They are also helpful in a multi-tenant environment to ensure that there’s fair usage among different teams or projects and each team’s namespace can have its own quota preventing one team from monopolizing cluster resources of others.

Security Contexts

  • Containers typically runs as a root user otherwise specified.

  • If an attacker gains access to a container with root privileges, they may be able to exploit vulnerabilities to affect the host or even the container.

  • Security Context in Kubernetes allows us to specify security settings like enforcing a non-root user for pods and containers.

  • Running a container as a non-root user limits what an attacker can do, even if they gain access, thereby reducing the potential impact.

Summary

  1. Isolation is the key in multi-tenant Kubernetes environments.

  2. Use namespaces to isolate application components securely.

  3. Implement network policies to control inter-component communication.

  4. Apply RBAC to restrict access and prevent unauthorized changes.

  5. Set resource quotas and limits to prevent resource monopolization.

  6. Use security contexts to run containers as non-root users.

Artifact Repository and Image Security

Image Security

Vulnerabilities

  • Docker images with the latest tag from Docker Hub are popular and easy to pull, they are not always safe.

  • For instance, the latest tag does not necessarily mean it's the most recently updated or secured version. It's just a tag that image maintainers can arbitrarily assign to any version of their image.

Vulnerability Scanning Tools

  • Trivy and Clair:

    • These tools scan the container images, including the base image and added layers, for known vulnerabilities.

    • The scans uncover multiple security issues stemming from the initial base image choice, highlighting the importance of selecting secure, trusted images.

Minimal Base Image

  • To address the identified vulnerabilities and enhance the application's security, it is recommended to use an official, minimal base image from a reputable source like Ubuntu or Alpine Linux known for regular updates and security scans.

  • This base images, being widely recognized and trusted, significantly reduces the risk of vulnerabilities.

Digital Signatures

  • By using digital signatures for image signing, we can ensure that the images are genuine and unchanged, adding an extra layer of security since any alterations to the images become instantly noticeable.

Artifact Repository

Build Artifact

  • In software development, build artifacts are what you get after the build process finishes.

  • This includes things like compiled code, packages, WAR files, logs, reports, and importantly, container images.

  • Container images are a key kind of artifact because they wrap up the application and everything it needs to run, making them essential for deploying applications.

  • Recognizing the importance of securely managing these artifacts, including container images, introduces the need for an artifact repository.

Artifact Repository

  • An artifact repository serves as a centralized storage and management solution for all types of artifacts.

  • It's an essential component in the Continuous Integration/Continuous Deployment (CI/CD) pipeline, facilitating the efficient sharing and distribution of software packages.

  • We can use Docker Hub but it lacks some of important features like:

    • A more sophisticated access control to ensure that only certain team members can update or access their container images, preventing unauthorized changes.

    • Aa way to automatically scan the images for vulnerabilities as part of their storage solution.

  • Popular Artifact Repository that solves the Docker Hub problem:

    • Nexus Repository

    • GitHub Packages

    • JFrog Artifactory

JFrog Artifactory

  • JFrog Artifactory provides a comprehensive suite of tools designed to streamline artifact management.

  • The great feature of JFrog Artifactory is its ability to continuously check stored images for any security weaknesses by integrating with security scanning tools.

Summary

  1. Choose trusted base images to avoid security vulnerabilities.

  2. Use vulnerability scanning tools like Trivy and Clair regularly.

  3. Manage artifacts securely with repositories like JFrog Artifactory or Nexus.

  4. Adopt digital signatures to ensure container image integrity.

Workload and Application Code Security

SQL Injection Attacks

  • Say you write a query to validate a username and password on a login form.

  • Without proper coding best practices in place, if an attacker inputs a partial SQL query as a username, it modifies underlying query this way potentially logging the attacker in without a valid username and password.

  • To address such issues, static code analysis tools like Resharper, SonarQube, Veracode, Codacy, etc., can help identify potential security vulnerabilities, including SQL injection risks, early in the development process.

  • These tools scan your codebase for patterns and practices that may lead to vulnerabilities, such as insecure handling of database queries, and flag them for remediation.

Third Party Dependencies

  • Another area to keep in mind is the third-party dependencies we use in our codebase. They maybe vulnerable to attacks.

  • We can mitigate this by using tools like OWASP dependency tracking and vulnerability scanning.

  • When OWASP Dependency-Check scans the code, it identifies each third-party library (e.g., Flask, requests, SQL Alchemy, Pandas, and Jinja2) along with their versions, then performs a Vulnerability Matching against Aa list of identified vulnerabilities with severity ratings CVSS scores and shares a report would list each library, its version, and any associated vulnerabilities.

Realtime Security Monitoring

  • Unlike static scans, ASM (Application Security Management) tools like Datadog provides real-time monitoring and can detect exploit attempts dynamically as they happen, regardless of whether the vulnerability was known beforehand.

  • It alerts teams to unusual behaviour or exploitation patterns, enabling faster responses and minimizing risk in production environments.

Performance Challenges

  • Another area of focus is understanding how your application's code interacts with the underlying system.

  • You may have a scenario where certain processes or parts of your application code are utilizing the underlying resources more than expected. In such cases gaining insights into containerized environments is essential.

  • This is where tools like Sysdig comes in as a solution.

  • Sysdig provides deep visibility into containerized environments, allowing you to monitor resource usage, detect anomalies, and troubleshoot issues in real time.

  • With Sysdig, you can quickly pinpoint which container or process is causing high CPU or memory usage, track down problematic workloads, and even inspect live system calls.

  • By offering real-time insights into both application and infrastructure layers, Sysdig helps ensure optimal performance and security across your containerized environments.

kcsaKubernetes