Container security without governance is neither secure nor governed
Encryption in a Kubernetes environment
Sponsored In the first article of our four-part series on Kubernetes in the enterprise, we outlined the data services that underpin a properly constructed Kubernetes container environment. Data security, data governance, data resilience, and data discovery are the pillars that support the evolution of Kubernetes from raw storage, either persistent or ephemeral, to true data services that are suitable for deployment in enterprises.
In this and subsequent articles we will drill down to those specific data services. Here, we cover data security and data governance together because they are in some ways two sides of the same coin. You can think of security as a layer in data governance or data governance as a higher-level kind of security.
With containers flitting about a cluster of machines, spawning chunks of microservices code and demanding access to data, it is vital to secure data at the storage layer underneath Kubernetes and from within the Kubernetes platform itself.
“Data security is a hot issue right now, particularly when you think about cyber resilience and the ability to withstand attacks on your infrastructure and – more importantly – on your data,” says Pete Brey, Director of Big Data Marketing at Red Hat.
“The fact of the matter is that there are a lot of cybercriminals that are trying to get access to customer data and other confidential information, and the first line of defense is encryption. Thankfully, in the last ten years, encryption has come a long way. Some of that is because we have more advanced processors that can quickly encrypt data on the fly without a measurable performance penalty. Several years ago, performance was a big issue for the industry and a lot of data was not encrypted when it should have been. But it's no longer an issue.”
Encryption in a K8s environment
As with other application and systems software, encryption in a Kubernetes environment typically involves encrypting data in flight as it moves around as well as at rest on physical storage such as disk drives and flash devices or even public cloud storage. Increasingly, even main memory is being encrypted, too, with the assistance of CPUs from Intel, AMD, and others, and some CPUs now have ways of managing security encryption keys that are out of reach of hackers.
These encryption and decryption functions that are vital for all software are being handled by processors, which now have specialized cryptographic accelerators on them. This means companies no longer have to spend thousands of dollars to put auxiliary cryptographic co-processors out on the PCI-Express bus of a server. It also means they do not have to take the latency hit in their applications and systems software as data comes into a CPU, is passed off to the accelerator for either encryption or decryption, and then pulled up into memory for processing or pushed down to storage for safe keeping.
This native, wire-speed encryption and decryption has been transformative for security within the datacenter. And as encryption has become commoditized, it has become pervasive.
The Secure Sockets Layer (SSL) protocol, and its follow-on, the Transport Layer Security (TLS) protocol have become central to data security. Using public key cryptography, TLS authenticates the identity of participants that share data over Internet protocols and secures data passing with symmetric key cryptography where the keys are uniquely generated for each connection between applications on distinct machines. The idea is to have unique keys that are also long and complex, thus ensuring that they are difficult to crack or hack.
Let me tell you a Secret
Many applications need to handle sensitive information, and Kubernetes is no different. The container management platform has a construct called a Secret, which allows for sensitive data related to containers and their pods to be stored and managed from within Kubernetes. Having this information abstracted away and secured independently is both more safe and more flexible than embedding it in a container image or a pod definition. Secrets are used not just for encryption keys, but also for OAuth tokens, SSH keys, passwords, and other sensitive information. The data is encrypted at rest within the Secrets system and can have role-based access control (RBAC) turned on to restrict the reading and writing of the secret data.
Everything in the enterprise that applies to security and governance applies to Kubernetes
The good news for organizations is that there are ways to hook the Kubernetes platform into the existing security and governance frame. “Everything in the enterprise that applies to security and governance applies to Kubernetes,” says Brey. “All of the concepts still apply – key management, to take one example – and you don’t have to buy a lot of extra stuff. A lot of this is already put into our OpenShift Kubernetes platform, for instance. Red Hat Enterprise Linux has cryptographic modules, which are used by OpenShift, Ansible, Ceph, and other parts of the Red Hat stack.”
Data governance cannot be an afterthought, and just because we are talking about it second in this story does not mean it plays second fiddle to data security. Security without governance is not really security, and governance without security is not really governance at all. If you are letting someone unlock data, you have to make sure you know who they are – both as the data is being unlocked and after the fact when you might be needing to comb through an audit trail using logs to try to find a hacker.
Security without governance is not really security, and governance without security is not really governance at all
Given this natural dependency, a lot of people conflate security measures as a kind of sufficient governance. “Actually, security and governance are pretty different,” explains Brey. “Security has more to do with the technical controls that are in place around physical data. Governance is a higher-level issue, which encompasses security, but also includes procedures and protocols for who can access data and how.”
In many industries, the immutability of data is a kind of security, too, which is not the same thing as encrypting it or watching access to it like a hawk. This write once, read many times, or WORM, storage is integral to specific industries, such as the financial services and healthcare fields, which allows for the data to be immutable for specific amounts of time, often on transactional or object storage. The auditing and logging functions as well as the immutable data functions required here – and probably useful across many industries – are included with OpenShift Data Platform, Ceph object storage, and other systems software. All you have to do is turn it on.
Sponsored by Red Hat.