Accurics today added support for Kubernetes to a Terrascan tool that scans infrastructure for vulnerabilities as well as indicators of drift to surface a threat model for application workloads. Once surfaced, Terrascan also provides a “time machine” capability that identifies the last known good security setting for a Kubernetes cluster.
Based on the same tool the company provides for securing cloud infrastructure, the latest edition adds support for YAML and JSON configurations. Subsequent iterations of the platform will also add support for instances of Kubernetes configured using tools such as Terraform.
Cesar Rodriguez, head of developer advocacy at Accurics, says now that Kubernetes has emerged as the dominant infrastructure abstraction for deploying cloud-native applications based on containers, the need to scan Kubernetes environments has become more apparent. Kubernetes is a complex platform that can be easily misconfigured, he notes.
In some cases, developers have been known to deploy Kubernetes using default settings that are fundamentally insecure, he adds.
Most organizations are just now starting to provide DevOps teams with the tools required to implement and manage security policies as part of their workflows. Those DevSecOps processes need to be applied to span both the containers being deployed as well as the infrastructure on which they depend.
Terrascan analyzes vulnerability feeds, identity access management (IAM) privileges and other data to detect potential security issues. That analysis then can be shared with third-party DevOps platforms and security tools to roll back settings to their last known approved state. The Accurics analysis also surfaces violations of common compliance and cybersecurity practices based on Security Operation Center (SOC) 2, General Data Protection Rule (GDPR), Payment Card Industry (PCI), the Healthcare Information Portability and Accountability Act (HIPAA), International Organization of Standardization (ISO), Center for Internet Security (CIS) Benchmark, Amazon Web Services (AWS) Best Practices and the AWS well-architected framework.
Once the model is constructed, Accurics then monitors the application workload for changes that introduce risks. It generates a topology for each workload in real-time to identify any potential indicators of drift away from the initial deployment settings. If the drift is due to a legitimate change, the code can be updated. If it introduces risks, IT teams can roll settings back to the last known secure posture using a “time machine” capability baked into its platform.
A recent report based on an analysis conducted by Accurics finds that even once discovered, only 4% of security issues reported in cloud production environments are addressed. With Kubernetes now being employed to drive hybrid cloud computing deployments, the opportunity for misconfigurations that lead to security being compromised in both on-premises and cloud computing environments is significant. In fact, the report notes 90% of organizations allow privileged users to make configuration changes directly to a cloud infrastructure after it is deployed. Issues such as open security groups, overly permissive identity access management (IAM) and exposed cloud storage services make up 67% of the most common cloud security issues uncovered, according to the report.
Of course, it may be a while before DevOps and cybersecurity teams are able to converge their workflows around a common set of DevSecOps processes. However, as more tools become available to drive that convergence, the easier it becomes to achieve that goal.