K8s and Cloud Security: Compliance Just Ain’t Enough

Over just two years, breaches caused by cloud misconfigurations exposed 33.5 billion records and generated an estimated $5 trillion in damages. Amid rising cyberattacks and novel vulnerabilities, overlooking cloud and K8s security is simply not an option. But, is merely meeting compliances enough?

“Many companies that have been hacked in the last year were compliant,” says Vladi Sandler, a former white-hat hacker and the CEO of cloud security company Lightspin. As standard compliances and regulations only address known threats, they will always lag behind zero-day exploits. In reality, daily code pushes and new tooling dependencies are constantly exposing unforeseen doorways to systems, putting businesses at risk.

Insecurities present an existential threat. Yet, avoiding unknown risks is difficult; making plugging vulnerabilities like a never-ending game of whack-a-mole. I recently met with Sandler to discuss what companies miss and what attackers keep exploiting. In a nutshell, cloud and Kubernetes (K8s) environments continue to suffer from over-permissive exploits caused by misconfigurations. Better common vulnerabilities and exposures (CVE) scanning, less-noisy error systems and raising standard benchmarks above the minimum requirements could be key to mitigating these issues.

Top Threats for Kubernetes, Cloud Infrastructure

Securing K8s and cloud computing environments is tricky, complicated by the fact that most organizations lack unified visibility into their holdings. Throughout his work, Sandler repeatedly notices improperly-secured Amazon cloud instances as a common problem. Leaky S3 buckets are a widespread vulnerability — for example, a leaky AWS S3 bucket recently exposed millions of Prestige Software customer records.

Computing environments accidentally left in the open is an all-too-common threat. For example, a hacker recently stole data from more than 100 million Capital One credit applications by exploiting an EC2 with an overly-permissive IAM role. Misconfiguration caused by an improper implementation is a widespread concern, says Sandler, and can quickly lead to privilege escalation. Many examples of unfortunate misconfigurations have been found involving Elasticsearch, S3 buckets, MongoDB databases and cloud environments from AWS and Azure to GCP.

Say a load balancer was exposed accidentally — if IP addresses were open, they would be exposed, as well. Or, a misconfigured API gateway could cause privilege escalation. By exploiting cloud infrastructure access, attackers could download sensitive data, cryptojack servers and wreak other coordinated havoc.

Regarding Kubernetes, Sandler notes three pervasive problems:

  • Lack of understanding around infrastructure: Many companies don’t realize they’re running their platform on infrastructure, which itself can be a target. With access to a container or pod, attackers could find objects and exploit the underlying infrastructure itself.
  • RBAC issues: Managing permissions at scale is a common pain point, especially as companies adopt a vast ecosystem of third-party open source technologies. “Organizations don’t always know how to manage permissions of open source,” says Sandler. “This can lead to cluster takeover.”
  • Over-permissive: Overexposing credentials could enable hackers to leave K8s and access other environments, like Salesforce, which may represent the heart of the organization, says Sandler.

Lacking Security Context

In addition to the threats themselves, other problems affect how teams address security. Sandler notes that IT security teams commonly suffer from a slew of false positives. Average monitoring practices severely lack helpful context.

Say, for example, you have a server exposed to the internet. If you’re running a test server without data and encountering vulnerability errors, it’s a false positive. However, if it has an exploitable vulnerability that could be leveraged to control the server and allow full permissions to the database, now you have a problem. Sandler believes security analysis should provide better context that highlights these more critical situations.

There is also the issue of a lack of skilled security engineers. “Since more and more companies are doing aggressive deployment, teams really have more complexity in handling patching, and over-permissive roles,” says Sandler. Not all companies have the resources of Netflix, he adds. Most are “starving for experts” when it comes to vulnerability detection and remediation.

Mitigating Kubernetes Threats

Sandler shared some ways to mitigate some of these issues:

  1. Leveraging open source tools that track CVEs. There are open source Kubernetes vulnerability scanners like Kube-Bench or Kube-hunter. These projects can take a snapshot of your service to scan against CVE databases. Sandler recommends Red Kube, a cheat sheet based on kubectl commands and Red-Detector, a resource that scans EC2 instances for vulnerabilities.
  2. Reduce the number of notifications to high-priority. Security analysis tools often create a ton of noise and produce too many false positives, Sandler says. To avoid notification burnout, customize your security monitoring systems to communicate the correct information level, with the most pertinent events prioritized.
  3. DevSecOps-as-a-Service. It isn’t easy developing greenfield access control and identity management systems. Sandler recommends using third-party tools to solve the permissions problem and help avoid privilege escalation.

Other experts I’ve met with agree security must shift left in the development process, involving things like automated container analysis within the CI/CD pipeline, penetration testing, chaos engineering and improved API security.

Going Beyond Compliance

According to Sandler, being PCI- or GDPR-compliant is not enough. Merely adhering to standard compliance benchmarks is not enough to thwart every attack vector. Instead, Sandler recommends an offensive security approach: “When you think like an attacker, it’s different than compliance,” he says. Mapping critical points, increasing visibility and reducing alert-fatigue are some actions you can take to prevent threats.

Bill Doerrfeld

Bill Doerrfeld is a tech journalist and analyst. His beat is cloud technologies, specifically the web API economy. He began researching APIs as an Associate Editor at ProgrammableWeb, and since 2015 has been the Editor at Nordic APIs, a high-impact blog on API strategy for providers. He loves discovering new trends, interviewing key contributors, and researching new technology. He also gets out into the world to speak occasionally.

Bill Doerrfeld has 105 posts and counting. See all posts by Bill Doerrfeld