Leveraging DevOps processes, technologies and tools as the means to accelerate business value or experimenting with new ideas and bringing them to market has become mainstream within organizations. Cloud native technologies such as containers, Kubernetes (container orchestrator), service meshes, etc. are seeing increased adoption as enablers for DevOps. With enterprise-level adoption of cloud native technologies increasing, many aspects of these technologies are now coming under the scrutiny.
At Thales, we too are going through the process of understanding and addressing the security implications of leveraging these technologies as we embark on our application modernization journey. Meanwhile, discussions with our external customers undergoing the same process have revealed some common security needs. As cloud native security can be a very broad topic, we’ll just focus on emerging requirements around two specific areas: Cloud Native Infrastructure Security and Container Software Supply Chain Security.
Cloud-Native Infra Security
DevOps is characterized by the velocity and scale of service development and deployment. This has introduced challenges in terms of securing workload identities as services are deployed more frequently and are scaled up/down to meet requirements. In addition, with applications being re-written as many smaller services interacting with each other, there is a growing need to manage secrets/credentials used by these services to access other services/resources. As both workload identities and secrets are integral to the overall security of the solution, let’s focus on some trends around securing these highly-sensitive assets.
Similar to workload deployments in virtualized environments, cloud-native workloads also rely on Public Key Infrastructure (PKI) for their identity. In the initial phases of adoption by the developer community, built-in Certificate Authority (CA) capabilities of cloud-native technologies were used. But as enterprises plan to move these workloads into production, challenges like meeting requirements around certificate policies, centralized visibility, management and securing sensitive crypto keys came to the forefront. This has led to an increase in demand for certificate issuance and/or management solutions for cloud-native technologies like Kubernetes, Istio service mesh, etc. As a result, integration of certificate issuance and/or management solutions with Kubernetes and Istio CA has gained momentum.
Certificate issuance/management solutions in turn rely on Hardware Security Modules (HSMs) as a Root of Trust which underpins the security of the overall solution to securely generate and/or store sensitive cryptographic material. Hence, there have been increased integrations with both on-premises and cloud-based HSMs and these certificate issuance/management solutions to provide an enterprise-grade solution for managing cloud-native workload identities.
Kubernetes secrets management is another use case which is increasingly being reviewed by security organizations within enterprises. Kubernetes secrets allow users to store and manage sensitive information, such as passwords, docker registry credentials, and TLS keys using the Kubernetes API. Kubernetes stores all secret object data within etcd (key-value store). While etcd data can be encrypted at the disk-level, there is increased interest in customer owned/managed keys for Kubernetes secrets encryption (also referred to as envelope or application-level encryption). Depending on the Kubernetes software/service provider and underlying infra of the Kubernetes deployment, the choices for key management range from cloud-based HSM or key management to physical HSMs. It’s anticipated that support for ownership of keys by customers for Kubernetes secrets encryption will become more widespread by Kubernetes software and service providers. Leveraging third-party secrets management solutions for Kubernetes workloads is also an option. Irrespective of the choice, HSMs (cloud-based or on premises) are seen as the logical choice to provide the underlying Root of Trust as part of a defense-in-depth strategy.
For the above two use cases, usage of confidential computing technology like secure enclaves in cloud-based environments is also something that comes up from time to time though this technology is in the early adopter stage.
Container Software Supply Chain Security
Another emerging trend related to increasing adoption of containers and Kubernetes is the security of the container software supply chain for automated deployment and delivery. Securing the software supply chain is driven by ISVs looking to assure their customers of the integrity of the published software, while automating release and deployment of applications/services in a secure manner across internal development/test/production teams. There is an increasing awareness that the existing mechanisms (notably Notary v1 based on The Update Framework) for distribution of signed container images and additional OCI artifacts such as Helm, Singularity and Cloud Native Application Bundle (CNAB) need to evolve to improve usability. Furthermore, given the increasing number of container registry vendors there is a need to ensure interoperability for container artifact signing across the providers for broader adoption. An open source CNCF project has been kicked off to address these challenges. One of the main areas identified as part of this open source initiative is around usability with respect to key management.
What does all this mean?
As the adoption of cloud-native technologies expands beyond proof of concept, many security-related aspects will evolve to satisfy enterprise security requirements. So, keep tracking these evolutions and cloud native ecosystem integrations to deploy solutions with enterprise grade security. Meanwhile, leveraging integrations between certificate issuance, certificate management and HSM/CoudHSM/key management solution providers to secure highly-sensitive assets like workload identities and Kubernetes secrets could help achieve security goals without slowing down the application modernization effort.
Also join us as we discuss other cloud native security solutions and trends in a series of Tech Talks with RedHat, starting with: Securing Openshift Container based Application Development.