Sysdig Dives Deeper into Kubernetes Security

Sysdig has added to its platform for securing Kubernetes support for the Pod Security Policies (PSP) native to Kubernetes and tools for managing incident response and conducting audits.

In addition, Sysdig has added Kubernetes Policy Advisor to help organizations define cybersecurity policies; Falco Tuning, which optimizes an open source container security runtime; and Activity Audit, an incident response and auditing tool. Falco was developed by Sysdig and currently is a sandbox project within the Cloud Native Computing Foundation (CNCF).

Pawan Shankar, senior product marketing manager at Sysdig, says Sysdig Secure 3.0 is the first security platform to take advantage of the native PSP capabilities in Kubernetes to ensure security at runtime. Sysdig Secure defines the policies that are then enforced by Kubernetes in a way that has the most minimal impact on performance, says Shankar.

At the same time, Shankar says Sysdig Secure 3.0 now provides the first combined incident response and audit tool for Kubernetes, providing IT teams with the ability to reconstruct historical system activity.

The goal is to provide a single platform through which IT teams can detect vulnerabilities and misconfigurations during the build phase, block threats at runtime and provide incident response, forensics and auditing capabilities, says Shankar. That approach, he notes, will make it feasible for IT organizations to secure Kubernetes environments at scale.

A recent report based on a five-day scan conducted by Sysdig found 40% of organizations are using container images from public sources, with more than half (52%) containing known vulnerabilities. More troubling still, the report also notes most customers have set images to run at root, largely because that’s the default setting.

Having the confidence to secure Kubernetes at scale is critical because many organizations will be reluctant to deploy Kubernetes unless they know they can secure Kubernetes clusters on an end-to-end basis, adds Shankar.

In general, Shankar says it’s only a matter of time before organizations that adopt Kubernetes also begin to employ best DevSecOps processes. Scanning for vulnerabilities should be a natural extension of any DevOps pipeline, he says.

The biggest challenge when it comes to DevSecOps, of course, is establishing the separation of duties between DevOps and cybersecurity teams. DevOps teams mostly will be responsible for implementing ty controls defined by the cybersecurity team. However, the cybersecurity team will still need to verify those controls have been put into place. The adoption of a new platform such as Kubernetes presents the opportunity to employ DevSecOps processes in a greenfield environment without having to overcome as many existing cultural biases.

Of course, when it comes to container security, these days there is no shortage of options. The important thing for IT organizations to remember is to address cybersecurity issues when Kubernetes is first adopted. Otherwise, Kubernetes is just going to be another new platform for which cybersecurity gets treated as an afterthought. Unfortunately, most cybersecurity professionals are already all too familiar with how costly that approach can be.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1382 posts and counting. See all posts by Mike Vizard