Secure Kubernetes Workloads with the Right Storage Solution
New holes emerge as enterprises embrace containers
Increasingly, corporations are in the data business, they collect more of it, they rely on it to make key decisions, and it essentially drives the business. However, they are not good at protecting it. Why? Most data analytic applications are built on modern architectures, like containers and Kubernetes, and few organizations now have the expertise and storage solutions needed to safeguard such. Make no mistake, the criminals are coming after your information. In fact, it was predicted that cybercrime would inflict damages totaling $6 trillion USD globally in 2021, according to Cybersecurity Ventures.
No doubt that companies collect and leverage more data than ever before. The collective sum of the world’s data is expected to grow from 33 zettabytes in 2018 to 175ZB by 2025, a Compounded Annual Growth Rate (CAGR) of 61%, according to International Data Corp. (IDC).
Companies want to do more than gather information. They want to correlate data, glean insights, and improve their business. New data analytic applications are being built on modern container platforms and managed by Kubernetes. Yet in most instances, corporations do a poor job of protecting their information and Kubernetes security breaches seem to keep increasing.
An Insecure Foundation.
Kubernetes was not built from the ground up to secure information. Instead, it was designed to maximize computer resources while minimizing the work needed to manage containers, which it does very well. But its infrastructure is often shared by multiple teams or divisions, which provides hackers with many possible entryways. Securing Kubernetes is a multi-pronged task, and a key element revolves around securing where information is housed: the corporate storage system.
Every organization tries to build a strong perimeter to thwart intruders, but most fail. Security best practices start with the acknowledgment that your systems have been compromised both inside and outside the perimeter. Once in, the bad guys try to worm their way to the top of the privilege list, so they have free reign and can spread their malware pervasively.
As a result, companies must treat their network, storage systems, servers, media, and even their system administrators as untrusted resources. In essence, data needs to be protected 24/7, from the moment it is generated, as it moves from place to place, and even as it sits at rest.
Encryption is Needed End to End
The first, and most important, line of defense for your storage containers is end-to-end data encryption. Corporations require solutions that encrypt all data before it leaves the machine where it is generated, written, or read. Enterprises cannot count pennies when choosing their encryption options. Criminals do not scrimp on time or money: they work around the clock investing whatever is needed to break into your systems. So, you need top of the line encryption, AES-XTS 256, rather than older, less expensive, less effective approaches.
Organizations must also recognize that need more than data encryption with much of their information traveling across the Internet. protecting information Transport Layer Security (TLS) encrypts data in motion. However, the information is decrypted once it reaches its endpoint. So, you require an additional layer of security, such as for communication between your storage clients and servers.
Next, you must limit access to your storage systems. Traditional storage solutions, like Network File System (NFS), often rely on IP filters, which seemed like a good idea when they were introduced years ago. But today, this approach is a horrible idea because nodes are used by many users, none of whom you can trust.
Adding X.509 certificates and Access Keys puts another needed check in place, so you are sure that only authorized users and hosts talk to your storage system. With X.509 certificates, each component (clients and servers) authenticates and communicates with each other via a TLS handshake. Anyone without a valid certificate is rejected. So even if an attacker compromises the network, they won’t be able to access the data sitting in your storage system.
Close a Shared Storage Security Hole
Another potential problem arises when your nodes run with many users and different parts of your organization. A layer of protection on the node itself is needed. Traditionally, operating system and directory services established users and groups and granted them different levels of privileges. Unfortunately, containers do not offer similar functionality. The IDs connected to container I/O operations can be from anyone and do anything, thus opening up another potential hole for hackers to climb through.
Implementing S3 access keys on your file system ensures that only authorized users have access to storage functions on a node. No overhead is created. Users rely on the same credentials for S3 as those to access their persistent volumes. Each persistent volume claim served by a Quobyte’s Container Storage Interface (CSI) plugin includes the user’s Access Key and Secret Key. Based on these credentials, the system ensures that only authorized individuals access the volume.
Quobyte goes even further and automatically maps all storage IO from the container onto the user’s user or group ID for the file system. This step makes file system access control usable in container contexts. The end result is your Access Control Lists control data sharing among different users, groups, and units in your organization.
The Quobyte Difference
So, there is much to ponder when you examine Kubernetes security. You need a storage system that provides a high level of security. The Quobyte storage system features robust functionality:
- Compatible with LDAP, Active Directory and OpenStack Keystone so it seamlessly integrates with existing enterprise directory services for user authentication and supports Windows, MacOS, Linux, and POSIX. systems
- Kafka logs metadata, data access, and change events, creating a record of who accessed what file when, for audits, security analysis, and data forensics
- Simple to deploy, software-defined storage and management policies enforce security best practices
- TLS encrypts data as it moves both between clients and servers and among servers, even when running multiple clusters in different data centers or hybrid clouds
- The flexibility to choose between built-in or external key management
- Integrated access control, so X.509 certificates and access keys authenticate users and limit their actions
- Mitigate insider threats by preventing privilege escalation
- Support for IP network filters adds granular security functionality
Security is of paramount importance to enterprises. As they extend their container applications, businesses need to protect their confidential information. Currently, Kubernetes opens storage system holes that hackers can exploit. Quobyte closes them tightly and protects enterprise data.
Want To Learn More About Quobyte?
Learn how Quobyte provides secured, high-performance storage for Kubernetes
Originally posted on Quobyte’s blog on April 18, 2022.