Identity and Access Management Is a Pain Point in Kubernetes
Prisma Cloud from Palo Alto Networks sponsored this podcast.
Identity and access management (IAM) was previously relatively straightforward. Often delegated as a low-level management task to the local area network (LAN) or wide area network (WAN) admin, the process of setting permissions for tiered data access was definitely not one of the more challenging security-related duties. However, in today’s highly distributed and relatively complex computing environments, network and associated IAM are exponentially more complex.
Managing distributed IAM was the main topic of this episode of The New Stack Analysts podcast, recorded for KubeCon + CloudNativeCon attendees. In our latest “Virtual Pancake and Podcast,” TNS founder and publisher Alex Williams and guests discussed why IAM has become even more difficult to manage and offered their perspectives about potential solutions.
The event featured Lin Sun, IBM’s senior technical staff member and Master Inventor for Istio; as well as Nathaniel “Q” Quist, senior threat researcher (Public Cloud Security Unit 42), Palo Alto Networks. TNS managing editor Joab Jackson served as co-host.
The gap in effective IAM has served as an attractive — and relatively easy — entrance into networks and databases for attackers. It can often just take the theft of one set of developer login credentials uploading code on GitHub to cause real damage. In this way, attackers can gain network access and privileges that typical users of a cloud environment do not typically have.
The Palo Alto Networks’ Unit 42 Cloud Threat Report reported that 23% of organizations surveyed experience crypto-mining operation within their environment targeting cloud service provider credentials stored on the endpoint, Quist noted. “Then, [access] just being ‘templatized’, just makes it a whole lot easier for them to — not just gain access to the system — but to take a step further and gain access to the actual environment itself,” Quist said.
The highly distributed nature of Kubernetes, of course, brings introduces a new set of IAM challenges. However, the good news is that service mesh, increasingly seen as essential for managing Kubernetes environments and associated microservices, can also lend itself to IAM. Among Istio’s standardization for service mesh, IAM falls under the security umbrella of service mesh capabilities, in parallel with observability and connectivity.
Service mesh “provides authentication and authorization policies that are more service-oriented,” said Sun. “They can leverage Layer 7 data to make intelligent decisions on that,” she said.
The Cloud Native Computing Foundation and Palo Alto Networks are sponsors of The New Stack.