Kubernetes: the whale in the room

· 3 MIN READ · DAN WHALEN · OCT 20, 2022 · TAGS: Cloud security

Why you should be thinking about Kubernetes security now

This may come as a bit of a surprise but … you’re probably already using Kubernetes. Whoa – who knew?

At a minimum, your engineers are thinking about it. In fact, at the moment, more than half of our cloud customer base uses Kubernetes (aka k8s) and we expect adoption to continue trending upward.

Kubernetes adoption is fueled by much more than hype. Organizations are starting to explore and reap the benefits of container orchestration technology, which include:

  • Shipping software faster
  • Cost savings from elastic infrastructure that scales on demand
  • Avoiding cloud platform lock-in

Security maturity tends to lag behind the tech adoption curve. That’s not to say organizations don’t want to secure their Kubernetes infrastructures, but forming a security strategy for new technology, where the risks and controls aren’t well understood, is tough. Engineers’ strong desire to employ Kubernetes, combined with the potential value proposition of Kubernetes for businesses, plus the fuzzy uncertainty of its associated risks…it all puts security teams in a tough spot. So we end up in an arguably predictable state: organizations are using Kubernetes (rightfully so) but they either haven’t thought much about their security strategy or are still struggling to figure it out.

Three reasons Kubernetes security is important now

Not convinced? Here are three reasons now is a good time to think about Kubernetes security.

1: Engineering teams are adopting Kubernetes blazingly fast

Maybe your engineers are experimenting with a Kubernetes cluster off to the side somewhere. That’s fine and dandy, but fast-forward to next year and you may find that a non-trivial amount of your business-critical infrastructure is running in k8s. In the words of the infamous Borg, “resistance is futile.”

Adoption brings a ton of positive benefits, but also introduces new and unfamiliar risks. If change is coming (and it’s surely coming), it’s a good idea to plan for it instead of being surprised by it.

2: Securing Kubernetes requires highly specialized expertise

Let’s say you’ve embarked on a mission to secure your Kubernetes clusters. Excellent! But if you’re running a security team you’ll face an immediate challenge: finding people who know how to do it. It’s 2022 and we’re still worried about the cybersecurity skills gap. It’s hard enough to build a general purpose security team. If you add Kubernetes as a preferred skillset, you’re going to have an even harder time finding candidates (because hint: they don’t exist). What does this mean for you? Don’t plan on finding people who can jump in and take the reins…plan on building the team yourself. This takes time, but it’s well worth your investment, and another reason to start sooner rather than later.

3: Beating baddies to the punch

In security, it feels like we’re always behind the curve. We await yearly threat reports with bated breath, scour the Twitterverse for the latest CVEs and 0-days, and rush to implement controls based on the CISO’s latest night terrors.

Kubernetes gives us a chance to get there first. By engaging with our engineering friends early and often, we can mitigate entire classes of risk with intentional design. Imagine we knew then what we do now about traditional infrastructure. Could we have avoided decades of stress and pain?

Moving the infrastructure to Kubernetes means attackers will follow out of necessity…but we still have time to make their lives more difficult (which is not only smart, it’s fun). It’s your infrastructure, your applications, you have an asymmetric advantage if you implement security controls and architectural design upfront.

What’s next?

There’s no time like the present to engage with your engineers and the Kubernetes community. If you’re just getting started, a ton of resources help you begin understanding how to manage risk in Kubernetes. For example:

At Expel, we aim to make Kubernetes security accessible via our Workbench™ platform and our absolutely badass team. We’ve been on this journey ourselves (our infrastructure is all in GKE) and we’re confident we can help other organizations along the path. Like yours. If you’re interested in hearing more about how we can help, contact us.