The race to safe Kubernetes at run time


For software program builders who primarily construct their functions as a set of microservices deployed utilizing containers and orchestrated with Kubernetes, an entire new set of safety concerns has emerged past the construct part.

Not like hardening a cluster, defending at run time in containerized environments must be dynamic: consistently scanning for sudden behaviors inside a container after it goes into manufacturing, reminiscent of connecting to an sudden useful resource or creating a brand new community socket.

Though builders now have a tendency to check earlier and extra usually—or shift left, as it’s generally recognized—containers require holistic safety all through your complete life cycle and throughout disparate, usually ephemeral environments.

“That makes issues actually difficult to safe,” Gartner analyst Arun Chandrasekaran instructed InfoWorld. “You can’t have handbook processes right here; you must automate that atmosphere to observe and safe one thing that will solely reside for just a few seconds. Reacting to issues like that by sending an electronic mail shouldn’t be a recipe that may work.”

In its 2019 white paper “BeyondProd: A brand new method to cloud-native safety,” Google laid out how “simply as a fringe safety mannequin now not works for finish customers, it additionally now not works for microservices,” the place safety should prolong to “how code is modified and the way person information in microservices is accessed.”

The place conventional safety instruments centered on both securing the community or the person workloads, fashionable cloud-native environments require a extra holistic method than simply securing the construct. In that holistic method, the host, community, and endpoints have to be consistently monitored and secured towards assaults. This sometimes contains dynamic identification administration and entry controls to community and registry safety.

The runtime safety crucial

Gartner’s Chandrasekaran recognized 4 key facets to cloud-native safety:

  1. It nonetheless begins with securing the foundations by hardening clusters.
  2. But it surely then extends into securing the container runtime and guaranteeing adequate monitoring and logging is in place.
  3. Subsequent, the continual supply course of must be safe, which suggests utilizing trusted container photos, safe Helm charts, and configurations which can be consistently scanned for vulnerabilities. On prime of this, privileged data must be secured by successfully managing secrets and techniques.
  4. Lastly, the community layer have to be secured, from Transport Layer Safety (TLS) to the appliance code itself and any cloud safety posture administration that’s in place, by successfully setting the best state and consistently searching for deviations from that state.

In a 2021 InfoWorld article, Karl-Heinz Prommer, technical architect on the German insurance coverage firm Munich Re, recognized that “an efficient Kubernetes safety software should have the ability to visualize and mechanically confirm the protection of all connections throughout the Kubernetes atmosphere, and block all sudden actions. … With these runtime protections, even when an attacker breaks into the Kubernetes atmosphere and begins a malicious course of, that course of can be instantly and mechanically blocked earlier than wreaking havoc.”

Meet the runtime safety startups

Naturally, the main cloud suppliers—Google Cloud, Amazon Internet Companies, and Microsoft Azure—are working onerous to bake this form of safety into their managed Kubernetes companies. “If we do it correctly, software builders shouldn’t need to do a variety of something, it must be constructed into the platform without spending a dime,” Google VP Eric Brewer instructed InfoWorld.

That being mentioned, even these cloud behemoths can’t presumably hope to safe this new world alone. “No single firm can resolve these issues,” Brewer mentioned.

Now, a quickly rising cohort of distributors, startups, and open supply tasks is rising to attempt to shut this hole. “There’s a rising ecosystem of startups on this area,” Chandrasekaran mentioned. “Fundamental facets of hardening the OS or securing the runtime have gotten a little bit commoditized, and the main cloud suppliers supply this baked into the platform.”

The chance for startups and open supply tasks subsequently tends to heart on extra superior capabilities, like cloud workload safety, safety posture administration, and secrets and techniques administration, usually with “good” machine-learning-powered alerting and remediation capabilities layered on prime as some extent of differentiation.


Take Deepfence, which was cofounded in 2017 by Sandeep Lahane, a software program engineer who beforehand labored at FireEye and Juniper Networks. Deepfence focuses on what occurs throughout run time by embedding a light-weight sensor into any microservice that may “measure your assault floor, like an MRA scan to your cloud belongings,” Lahane instructed InfoWorld. Deepfence is within the enterprise of “monetizing the treatment for that ache, the runtime safety to deploy focused defenses,” he mentioned.

Deepfence open-sourced its underlying ThreatMapper software in October 2021. It scans, maps, and ranks software vulnerabilities no matter the place it’s working. Now, the startup is trying to construct out its platform to cowl the entire vary of runtime safety dangers.


Sysdig is one other rising vendor on this area, having created the open supply runtime safety software Falco.

Just like ThreatMapper, Falco focuses on detection of surprising habits at run time. “Falco makes it simple to eat kernel occasions and enrich these occasions with data from Kubernetes and the remainder of the cloud-native stack,” its GitHub web page reads. “Falco has a wealthy set of safety guidelines particularly constructed for Kubernetes, Linux, and cloud-native. If a rule is violated in a system, Falco will ship an alert notifying the person of the violation and its severity.”

“I noticed the world was altering and the methods we had been utilizing earlier than weren’t going to work within the fashionable world,” Sysdig CTO Loris Degioanni instructed InfoWorld. “Packet detection doesn’t lower it whenever you don’t have entry to the community any extra. … So we began by reinventing what information you possibly can acquire for containers by sitting on a cloud endpoint and gathering system calls, or extra merely put, the method of an software interacting with the surface world.”

Degioanni in contrast runtime safety to defending your individual house, which begins with visibility. “It’s the safety digital camera to your containerized infrastructure,” he mentioned.

Aqua Safety

Based in 2015, Israeli startup Aqua Safety can also be underpinned by an open supply undertaking, Tracee. Primarily based on eBPF expertise, Tracee permits for low-latency safety monitoring of distributed apps at run time, flagging suspicious exercise because it happens.

“The second I noticed that containers bundle all the pieces inside and the operations folks click on a button to run, for me it was apparent to additionally bundle safety into that, in order a developer I don’t have to attend,” mentioned Aqua CTO Amir Jerbi. Builders “aren’t safety professionals, and so they don’t know find out how to shield towards subtle assaults, so that they want a safety layer that’s easy the place they’ll declare their easy wants. That is the place runtime safety is available in.”

Different runtime safety suppliers

Different firms working on this area embody Anchore, Lacework, Palo Alto Networks’ TwistLock, Crimson Hat’s StackRox, Suse’s NeuVector, and Snyk.

Open supply is essential for developer buy-in

One frequent issue amongst these firms is the significance of open supply ideas. “Clients on this area care about open supply and don’t wish to deploy solely proprietary options,” Gartner’s Chandrasekaran mentioned. “They wish to work with firms which can be energetic contributors in open supply communities and offering industrial options on prime of open supply software program, as a result of that’s the basis of cloud-native expertise.”

It’s a sentiment echoed by executives at all the startups InfoWorld spoke to. “Within the cloud-native group, a variety of the main target is on open supply. They respect when distributors have an enormous footprint and contribution in open supply, to allow them to strive issues, see what you’re doing, and contribute again,” Aqua’s Jerbi mentioned. “We’re a industrial firm, however a lot of these merchandise are based mostly on open supply.”

For Phil Venables, CISO at Google Cloud, the open supply method to cloud-native safety is essential to fixing such a fancy downside. “We’re more and more like a digital immune system,” he instructed InfoWorld: gathering intelligence from our personal inner methods, giant enterprise prospects, risk hunters, crimson groups, and public bug-bounty applications. “That makes us primed to reply to any vulnerability and push issues again into open supply tasks, so we have now a large aperture to search out out about issues and reply to them.”

This open, clear method to runtime safety can be essential in a future the place distributed functions include uniquely distributed threats. The cloud giants will proceed to bake this safety into their platforms, and a brand new class of startups will struggle to supply complete safety. However, for now, the trail ahead for practitioners tasked with securing their containerized functions by way of manufacturing stays a tough one to navigate.

Copyright © 2021 IDG Communications, Inc.