Secure Your Future in 2024: Grab a Piece of the K8s Security Pie
Last year was rough, with 50% more tech layoffs in 2023 than in 2022. The security function was anything but immune from the trend — recent studies show that, by the middle of 2023, 22% of security professionals had been in organizations where security talent was cut.
And, if they had been in companies where reductions in force took place, studies show that the talented security practitioners left were less satisfied in their jobs and roles. Now is the time for cyber professionals to secure their future, and Kubernetes security is the secret weapon that can make you invaluable.
Kubernetes Security Makes Your Team Invaluable
Making yourself invaluable means associating your skillset with the technology that will make or break the company’s revenue stream. Companies like Netflix, Domino’s Pizza, Slack, Shopify and the New York Times all run their digital apps in a Kubernetes environment.
The fastest-growing part of IBM is OpenShift, Red Hat’s managed Kubernetes platform. Kubernetes migration has been a top priority for the engineering organization for years, and all of this is due to the fact that Kubernetes allows companies to innovate faster, developing applications and new features at a rate that was impossible with monolithic approaches to application development.
Build Credibility with Your Most Influential Peers
Many of your most influential peers are those who are actively building out your Kubernetes stack in engineering. If you can successfully, and credibly, work with them as a partner on Kubernetes security, to them you will be nothing short of the “next gen” security team.
Why? Because today these teams have to advise security and hold hands with teams that have not invested in this knowledge. When asked who owns Kubernetes security at KubeCon + CloudNativeCon, more than a third of engineers and Site Reliability Engineers (SRE) echoed the sentiment that security is behind on Kubernetes:
- “Security teams have a big knowledge gap around Kubernetes.” — a senior engineer
- “The security technology group is not up to speed.” — an SRE
- “Security should be hand-in-hand, but security doesn’t know anything about K8s.” — a developer
And data shows that, today, the security team owns Kubernetes security in only 28% of organizations, compared to 72% across Ops, DevSecOps, developers, and DevOps.
But clearly Kubernetes security is still make or break for many security teams. The SRE for a Fortune 100 health-care company said their security team was eventually replaced by a “more technical” team that could speak the same language around Kubernetes.
Where Are Security Teams Needed the Most?
Despite the fact that the engineering team is doing Kubernetes security, their own metrics and performance indicators include KPIs about uptime, cost and performance. By necessity, they take a broad, active role around role-based access control (RBAC), Kubernetes versions, supply chain, the network, and common vulnerabilities and exposures (CVEs). But they need a partner in crime.
So where do security teams stand to gain the most from their involvement? Where are they needed the most? If we look at where engineers generally spend their time (RBAC, Kubernetes versions, supply chain, the network and CVEs), it is clear that the gap security needs to fill is around finding blind spots that have not been covered with guardrails and shift left, as well as validating the security posture that is the result of engineering’s work.
This could mean, specifically, detection and response for when things go wrong, auditing the usage of RBAC permissions against written policies and proactively demonstrating why certain CVEs must be attended to, in a broader context.
The targeted attacks against Kubernetes in 2023 also demonstrate the need for security teams’ involvement, when, according to a recent study, a full 17% of teams are still not doing DevSecOps. In 2023, there was a large spate of new Kubernetes attacks, and software supply chain attacks were looking for kubeconfig files. There were also no less than seven new Kubernetes CVEs in 2023 alone.
To prevent targeted attacks, and uncover the blind spots that let them in, security teams are the ones that need to step in.
Your Job: Make Yourself an Effective Collaborator
So how can you take advantage of the opportunity without taking an unrealistic amount of time becoming a full expert? The answer is effective and clear collaboration.
The first step to collaboration is to know what “good” looks like. In an ideal world, at the most general level, your job is to understand the situations that could cause big problems and work with engineering to reduce the risk of big problems while keeping business moving forward.
In a practical sense, security and engineering need to work together to understand the most sensitive clusters, decide what kind of a risk would warrant a break in uptime (in the worst-case scenario) or which developer roles should have privileges like admin or cluster admin.
And it’s also important to know what ineffective collaboration looks like in Kubernetes security. In the example below, while security is dedicated to cloud security and the concept of shifting left, in reality the vulnerability management program is only happening in response to compliance requests, and prioritization of CVEs and alerts is not happening before the alerts reach the engineering team.
Or detection and response is still relegated to non-containerized workloads like EDR or xDR solutions, so there is little to no collaboration around detection and response, even if engineering is noticing spikes in CPUs that can’t be explained by their own actions (but could be explained by a crypto mining compromise).
Kubernetes security is like an open invitation to further your career and make yourself an invaluable part of your company’s journey forward. It comes with built-in collaborators and requires capabilities that only security teams can provide. Here are some examples of ways you can get started building this into your repertoire:
- Start on one of the CNCF’s Kubernetes security certifications.
- Do a Kubernetes OWASP Top 10 audit in your organization.
- Use open source RBAC tools like RBAC Police or Krane to understand broad RAC permissions.
- Start engaging with engineering around acceptable risk baselines for admission control.