How ‘Secure’ Cloud Native Deployments Can Be
Kubecon + CloudNativeCon sponsored this podcast.
Security for cloud native deployments can certainly vary, depending on the organization, as well as different project groups.
Serving as a guidepost, the Secure Access for Everyone (SAFE) industry working group was created to facilitate “collaboration to discover and produce resources which enable secure access, policy control and safety for operators, administrators, developers and end-users across the cloud native ecosystem,” according to its GitHub description. In that way, SAFE’s founders have envisioned a set of tools for cloud native operators, administrators and developers, consisting of a system security architecture, a common vocabulary and libraries.
SAFE’s potential and what cloud native security involves, in general, were discussed during a podcast Alex Williams, founder and editor-in-chief of The New Stack, recently hosted at KubeCon + CloudNativeCon in Seattle.
The guests included:
- Ignasi Barrera, founding engineer, Tetrate;
- Liz Rice, technology evangelist, Aqua Security;
- Sarah Allen, technical lead and manager, Google Cloud and SAFE WG chair.
The idea, of course, is not to eliminate cloud native security risks, but instead, to lower them.
“We talk about SAFE more as a secure architecture, meaning it’s set up in such a way that we believe that it’s possible to apply security controls to it and there’s certainly many, many situations where most people will agree it may not be impossible,” Allen said. “But it’s certainly hard to secure certain types of systems.”
Complete and total security, of course, does not exist, of course. In this way, the opposite of insecure is “more secure,” Rice said.
“It’s like trying to prove a negative, you can very easily prove that something is insecure,” Rice said.
One of the challenges associated with security is that “there are many different actors out there,” Barrera said. “One of the issues of defining what’s secure access is to come to a set of agreements on use cases for [developers, users and operations] and to be able to write them down and unify them so people can understand what’s there beyond their specific role,” Barrera said. “So, I think, that’s one of the goals of this working group — to put down together a list of things as a reference so people can come and say, ‘okay, this is what security means to these sets of people and to me and this is what we should care about.’ I think that’s the secret.”
Context, as it relates to different projects or roles in the organization, is also a key consideration when defining security policies and practices. Many types of projects exist, “some of which are security-related and some of which are not essentially tied to security but can have security implications,” Allen said. It is thus beneficial to have a centralized resource to help different project participants “understand what’s required of them so that people can build and have a real system that’s secure,” Allen said.
“I think that’s what the site working group can really add value,” Allen said.
In the cloud native space, “the kind of the rules are different and you apply the technology differently,” Allen said.
“I think that creates an intellectually interesting space but also a scary one,” Allen said. “And then you’re using open source — which can be extra safe because you have many eyes on it — you have to make sure that you’re using one of those projects that actually does have many eyes on it.”
In this Edition:
1:42: The SAFE Working Group
8:12: Exploring the context and background of this in terms of cloud native technologies
13:17: Are you getting that feedback, or is it just security experts saying, “We need to be ahead of this?”
15:01: Exploring the examples of companies moving to the cloud, the rise of virtualization, and increasing complexity
21:02: How do you think about things like that in the context of the recently announced Kubernetes vulnerability?
23:43: What do you see as some of the challenges of deploying multiple Kubernetes clusters?
The Cloud Native Computing Foundation is a sponsor of The New Stack.