Kasten has this marketing slogan that says security should be everywhere. But perhaps it’s more appropriate to say its intention is make data protection simpler and even smarter, as Kasten K10’s storage and disaster recovery capabilities for Kubernetes clusters extend its reach to cover the entire swath of CI/CD.
Ideally, tools like Kasten’s for data protection and other security-oriented platforms are increasingly designed to be more automated so that the developers and operations folks can do their work as security and policy checks run in the background. They then fall on the radar screen of non-security folks when the tools issue alerts or prevent bad code from being integrated into the supply chain. “Security everywhere,” as Kasten is terming it, covers the very beginning of the production cycle, hence the often touted “shift left” trend, and extends through the entirety of the application and data lifecycle once deployed.
However, in practice, many — probably most — organizations lack the ability to ensure security is in place and policy are met (implementation of policy as code as described below) at the very beginning of CI/CD.
Data Protection Policies
Data protection policies are particularly often neglected in the early-on stages of the development process. In test results Palo Alto Networks‘ Bridgecrew provided, resources within Terraform Registry modules were compared to hundreds of predefined checks within Bridgecrew’s Checkov, which is designed to prevent cloud misconfigurations and to find vulnerabilities during build-time. Out of those checks, Bridgecrew found 81% of the community modules failed for backup and recovery while logging and encryption were a close second and third at 73% and 71%, respectively.
To that end, Kasten K10 V5.0 covers wider ground for data protection early in the production process. “The shift left in data protection needs to become a default option and needs to become a new trend, compared to the world where data protection is an add-on,” Gaurav Rishi, vice president of product and partnerships at Kasten by Veeam, told The New Stack. “We now make sure there’s a checkmark that it’s done.”
A main attribute of the new shift-left capabilities on offer with K10 V5.0 for improved data protection include the integration of Policy as Code principles for Kubernetes environments with the integration of such open source tools as Kyverno and Open Policy Agent (OPA). The Policy as Code integration begins its work as soon as the developer makes a pull request on Git and extends through the entire production cycle. It is used to help enforce operational best practices, such as recovery point objectives (RPOs) — the amount of acceptable data loss in the event of an outage or an attack — and to block deployments that are not properly configured, such as when as when immutability is not enabled on Git. It can also modify policies automatically to meet compliance requirements, such as setting a six-year retention period per HIPAA regulations. Kubernetes Admission Controllers are also available with the release to help prevent pods, deployments or StatefulSets from being scheduled onto a Kubernetes node, should a policy be violated, Rishi said.
A Large Piece of the Puzzle
Many platforms are often arguably designed to offer a purported “single pane of glass” solution that covers too much ground, and can involve vendor lock-in. For data protection and security, Kasten has offered data recovery for ransomware attacks and tighter RBAC controls for access to Kubernetes nodes and stateful and stateless data, before K10 V5 was released. What Kasten K10 is not purported to do is to offer a complete solution for DevOps for CI/CD and Kubernetes cluster management, nor do I expect it to ever be touted as such. This helps to explain how Kasten has sought for K10 to become more tightly integrated with popular DevOps environments and processes, such as Amazon Web Services (AWS) so that data protection is automatically integrated with Amazon Amazon Elastic Kubernetes Service (EKS) EKS clusters and the comprehensive container- and Kubernetes-management platform Red Hat OpenShift.
Kasten K10’s increased compatibility with EKS consists of how K10 adds data-protection capabilities to Amazon EKS Blueprints, which facilitates the configuration and deployment of Kubernetes clusters and containers. The Kasten K10 add-on for Amazon EKS Blueprint also extends to all clusters for data backups, including disaster recovery.
For Red Hat OpenShift, Kasten K10’s data backup and disaster recovery capabilities are now included in the Red Hat operator framework and has Red Hat Level 3 operator certification. Kasten K10 is also available on the Red Hat Marketplace as a free or enterprise edition.
With integration with EKS and Red Hat, we can assume more partnerships are to come. DevOps teams are able to further meld data protection and recoverability for policy as code across CI/CD and as part of a larger swath of their favorite Kubernetes platforms and environments.
“We are helping DevOps teams think about policies not only for remediation in the context of purely security attributes, but also for data and application protection,” Rishi said.
AWS, Kasten, Palo Alto Networks and Red Hat are sponsors of The New Stack.