Cloud Native / Kubernetes / Security

Linux and Cloud Native Security: SUSE’s Strategy

5 Nov 2021 3:00am, by
This week, The New Stack is running a series of posts examining how Linux distributors are securing their distros for cloud native operations. In our last installment, we take a look at longtime Linux stalwart SUSE.

The Nuremberg-based SUSE wants to be the enterprise open source software provider for big data operations. The company maintains one of the premier Linux distributions for corporations, the Linux Enterprise Server. It’s also an important driving force within the realm of cloud native technology. Last year, the company acquired Rancher, which developed a popular stripped-down version of Kubernetes, called K3s, as well as its namesake software platform, which can be used to offer Kubernetes as a service. Both are key components in SUSE’s open source cloud native portfolio.

To learn more about SUSE’s strategy for securing its customers’ cloud native computing operations, I spoke with Sheng Liang, who is the president of engineering and innovation at SUSE, and was the CEO and co-founder of Rancher.

Let’s see what he had to say.

What’s the biggest security issue cloud native developers face?

Sheng Liang, President of Engineering and Innovation at SUSE

Sheng Liang, president of engineering and innovation at SUSE

Data confidentiality and integrity are key for cloud native development. Data breaches are front line in customer visibility and have the potential to break a business. Robust access management, including centralized authentication and role-based access management, is key. Customization is essential, as well as ease of use and management of these tools.

One of the key features that Rancher adds to Kubernetes is centralized user authentication, allowing users to use one set of credentials to authenticate with any of their Kubernetes clusters. It also allows for customization of roles to provide specific permissions within Rancher.

If you could give one piece of advice to businesses wanting to deploy containers as securely as possible, what would that be?

Be proactive in managing the risk and security policies across your environment. This means ensuring basic operational tasks like keeping your Kubernetes distribution and clusters up to date and keeping track of users and their corresponding policies.

Implementing OS Kubernetes-management platforms like SUSE Rancher can help manage these tasks and avoid the operational debt that can accumulate.

What is SUSE doing unlike any other server operating system for cloud/container security?

Security remains a prominent barrier for Kubernetes adoption, and SUSE’s latest project Kubewarden is designed to help remove that obstacle. Kubewarden provides significantly more flexibility compared to other solutions in today’s market as it allows for policies to be written in any language that can compile to WebAssembly (WASM), including Open Policy Agent’s Rego language. Kubewarden also allows operations and governance teams to codify the rules of what can and cannot be run in their environments. Policies are distributed through container registries, and workloads and policies can be distributed and secured in the same way, ultimately removing bottlenecks organizations face and reducing the time DevOps teams need to spend reviewing policies.

What does the future of cloud native development look like?

Businesses are still striving for digital transformation of their IT stack, and to achieve the transformation they need, there needs to be consolidation within cloud native development. We will continue to see a rise in open source projects that graduate into enterprise products. Our recent SUSE open source projects are driving production-quality Kubernetes everywhere and include Harvester, Kubewarden, Epinio, Opni and Rancher Desktop.

What’s the first thing an administrator should do to a server operating system to harden it?

A good starting point would be to look at the recommendations in the Center for Internet Security (CIS) benchmarks. These benchmarks provide a series of controls for a strong security posture. For regulated environments, there are additional controls and steps that must be followed to comply with regulatory requirements.

How can small to medium-sized businesses gain the levels of security found in the enterprise?

First, designing the product based on applicable security frameworks and proactively managing security concerns will provide enterprise levels of security in a small or medium-sized business and allow for scaling.

Second, consider the likes of Rancher products, which comply with the top frameworks in the industry and ensure our partners can meet those standards, whether through Rancher portfolio certifications or the use of our hardening guides for partner systems.

What’s the best thing container developers can do to ensure they’re building off a solid and secure foundation?

Building a container is just the beginning, the best you can do is ensure it is secure at that point in time. To minimize risk over time, container developers should start with a lightweight base image built on a secure OS that is updated regularly. This ensures that security fixes are frequently applied. This is where a base image like SUSE’s SLE base container images [BCIs] fit in, built on top of the rock-solid foundation of SUSE Linux Enterprise.

When building the image, developers should be leveraging multistage builds. This allows developers to add all their build dependencies, but only ship their end application. This provides the end user with a smaller image with a reduced attack surface, and it saves bandwidth.

Last, developers should plan to rebuild their images periodically. Over time new vulnerabilities are discovered and fixed. Developers will need to provide new fixes through new containers that contain the most recent patches.

What is the coolest piece of cloud-native technology being developed by SUSE in the coming months or year?

Without a doubt, this is Harvester, our open source hyper-converged solution (HCI) that accelerates digital transformation by allowing enterprises to consolidate, simplify and modernize their existing IT operations.

When integrated with SUSE Rancher, it unifies the delivery of virtual machines and containers without the complexities, lock-in, and overhead costs imposed by legacy vendors. In the future, Harvester will leverage SUSE Rancher’s GitOps-powered continuous delivery capabilities to scale potentially thousands of HCI clusters running a mix of virtual machines and containerized workloads from core to edge.

Should businesses be striving for full-blown automation, or should they keep a layer of human intervention involved in the DevOps process?

Automation tools can be an excellent addition to the DevOps process and can save on tedious and costly manual reviews. There are many tools on the market for automating formerly manual tasks. However, there is an inherent danger in over-automating as well as under-automating. Tools will only catch a certain percentage of errors and do not always play well with others. It is important to find a balance.

A human touch in managing DevOps will ensure any errors are observed and addressed for future reference, the process is followed correctly and the tools are used properly to meet the organization’s needs.