Sysdig Brings Zero Trust Network Security to Kubernetes
Honeycomb sponsored The New Stack’s coverage of Kubecon+CloudNativeCon North America 2020.
This week at Kubecon+CloudNativeCon North America, container security company Sysdig is bringing its zero-trust security approach to Kubernetes with the introduction of its Zero Trust Network Security for Kubernetes. The approach expands upon the company’s usual approach of container scanning and runtime security by adding network visibility and automated rule creation using Kubernetes’ native policies.
Defined by Forrester Research and popularized by Google, the Zero Trust security model differs from traditional security approaches in that nothing is trusted by default, no matter where it may live, whereas a traditional approach may allow anything within your network or application to freely interact with anything else inside the same perimeter. In cloud native terms, this might mean one microservice speaking with another, as long as it lives on the same Kubernetes node.
Sysdig’s new approach allows its users to take advantage of Kubernetes’ native policies to impose a zero-trust security posture by making it easier to set up the policies and then view the effects of those policies once in place. While this may sound simple enough, Sysdig Vice President of Product Knox Anderson explains that setting up Kubernetes network policies was often a sticking point.
“We can take the time to implement down from weeks to hours,” said Anderson. “We’re really making the process of companies adopting Kubernetes’ network policies much easier by providing deep visibility through Sysdig. What a customer will be able to do is easily look at our topology map, see service to service communication, decide what they want to allow, and then we will automate the creation of a Kubernetes network policy from that, but then apply to their cluster.”
The topology map mentioned is another new feature in this release that allows its users to visualize all communication into and out of a particular pod, service, and application. With the combination of the map and the automated rule creation, Anderson said this addresses a particular gap in the industry.
“The main challenge we saw with customers is that app teams have the context of application A to application B, but they have no idea how Kubernetes network policies work. And then the operations team knows how to write a Kubernetes policy, but has no clue, at the app level, which applications should communicate with each other. So we’re really helping bridge this gap between developers and operators,” said Anderson.
The use of Kubernetes network policies, he mentioned, was also a differentiator from how others might approach the problem, instead of using a man-in-the-middle type approach, which might overwrite a binary or override runC or modify IP tables. Those approaches, while valid, can also introduce a latency that is not present by using Kubernetes network policies. Sysdig Chief Marketing Officer Janet Matsuda said that it also kept things simple, always a good idea when dealing with security.
“We continue to add to the capabilities around zero trust to make sure that, even though Kubernetes is open by default, we’re making it easier for the DevOps and security teams to work together to put those zero trust controls in place. The approach that we use for that is to use Kubernetes native controls and stick to open source controls, rather than adding another piece of the puzzle,” said Matsuda. “Kubernetes networking is already complicated enough. You don’t want to have a security tool that’s in place doing something in conflict with the state of the universe that Kubernetes expects.”
The final piece of Sysdig’s approach is Sysdig Audit Tap, which gives DevOps teams the ability to identify and monitor every connection made by a process, even if a connection is unsuccessful. With this, explained Matsuda, Sysdig users can verify that their network policy isn’t causing any problems and instead providing the zero-trust environment they want.
“This audit tab capability is broader than zero trust in network security, but it is an important component, because once you have those policies in place, you want to say, ‘Here are the network connections that were blocked, here are the network connections that are happening,’ and really validate that you have implemented it properly,” said Matsuda. “That can help you understand, maybe someone’s trying to attack your environment or it could be that you have the wrong policy in place. That loopback of ‘plan ahead, implement, and then check what’s happening’ is really that closed-loop circle you need to have with zero trust.”
The new functionality will be available today as a part of the Sysdig Enterprise tier at no additional cost.
KubeCon+CloudNativeCon is a sponsor of The New Stack.