container and kubernetes configuration management · stackrox kubernetes security platform enables...
Post on 22-May-2020
18 Views
Preview:
TRANSCRIPT
Container and Kubernetes Configuration ManagementHuman error remains a frustratingly persistent cause of the majority of security incidents. According to Gartner,
95% of cloud security failures are rooted in mistakes made by customers. As your application workloads become
more decentralized–spanning data centers owned by you and public cloud providers–and run in containers and
Kubernetes using microservices architecture, the risk of a misconfigured component exposing you to a security
incident grows.
Several factors contribute to this increased risk:
• Kubernetes ships with its settings open by default, to enable faster development and deployment. Providing all
assets with full communications is great for building apps, but it’s far from secure. Or role-based access control
(RBAC), might not be enabled at all, or it could be configured in a way that’s highly risky. Examples include:
› The default GKE cluster control plane and nodes can be accessed from any IP address.
› When creating a new cluster in EKS, an endpoint is created for the managed Kubernetes API server, which by
default is public to the Internet. Access to the API server must be secured using a combination of AWS IAM
and native Kubernetes RBAC.
› Overuse of ClusterRoles and ClusterRoleBindings that gives global access across all namespaces.
• Containers similarly have a lot of components that must be configured appropriately to deliver high security.
• Following configuration best practices becomes even more difficult in hybrid environments where you use a
public cloud provider’s managed Kubernetes service along with self-managed Kubernetes deployed in your own
data center on-premises. Each environment presents a different set of responsibilities for configuration.
In today’s DevOps driven, application development environment, configuration management must be as automated
and streamlined as possible for it to be effective. It should be comprehensive, covering containers, Kubernetes, and
all their configurable components, including:
• RBAC
• Secrets
• Network policies
• Privilege levels
• Resource limits/requests
1
• Read-only root file systems
• Annotations, labels
• Sensitive host mount and access
• Image configuration, including provenance
Solution Brief
Configuration management purpose-built for DevOpsThe StackRox Kubernetes Security Platform is built from the ground up to protect containerized workloads running
in Kubernetes. StackRox offers a fully automated configuration management solution that provides comprehensive
visibility into all of your Kubernetes and container assets and how they’re configured. StackRox also provides
out-of-the box policy templates to ensure your environment is configured securely and adheres to industry best
practices such as those laid out in the CIS benchmarks.
Kubernetes Role-Based Access Control (RBAC) assessment
StackRox analyzes Kubernetes RBAC to give you
granular visibility into all the permissions and
privileges given to your users, groups, or service
accounts, also known as subjects. We simplify RBAC
assessment by providing you a single view of all
permissions associated with your subjects regardless
of how many Roles or ClusterRoles are associated
with them. We use this information to identify
instances of overly permissive misconfigurations that
pose significant risk.
Alternatively, you can analyze each role (or
ClusterRole) separately to determine which subjects
are associated with each role and the permissions
given to each role, including which actions (or verbs)
can be taken against what API resources. These
checks will allow you to quickly identify instances of
misconfigured or unnecessary roles.
Kubernetes secrets monitoring
StackRox identifies secrets used in your environment
and how they’re configured to determine whether
they’re distributed too broadly across too many
deployments or have expired. With StackRox you can
proactively limit unnecessary secrets access and
prevent unwanted exposure.
2
Policy-based configuration assessment
StackRox scans your environment against prebuilt configuration policies and detects policy violations including:
• Images that haven’t been scanned recently (or ever) or are pulled from untrusted registries
• Network exposure from insecure network communications
3
• Containers running with risky
privileges, lacking resource
constraints, or using read/write
filesystems
• Secrets mounted as environment
variables
• Deployments missing required
labels and annotations
• Deployments mounting sensitive
host directories
You can readily build new policies,
often cloning existing policy templates
and editing them to meet your unique
security needs.
Automated policy enforcement
StackRox integrates with your CI/CD
pipeline to provide build-time
enforcement capabilities to ensure
misconfigurations are caught as early
as possible. You can augment these
controls with deploy-time enforcement
such as using dynamic admission
controls.
Request a demo today!
info@stackrox.com+1 (650) 489-6769www.stackrox.com
StackRox helps enterprises secure their containers and Kubernetes environments at scale. The
StackRox Kubernetes Security Platform enables security and DevOps teams to enforce their
compliance and security policies across the entire container life cycle, from build to deploy to
runtime. StackRox integrates with existing DevOps and security tools, enabling teams to quickly
operationalize container and Kubernetes security. StackRox customers span cloud-native start-
ups Global 2000 enterprises, and government agencies.
LET’S GET STARTED
©2020 StackRox, Inc. All rights reserved.
More than configuration managementThe StackRox Kubernetes Security Platform provides full life cycle security for containers and Kubernetes.
StackRox addresses critical security uses cases that go beyond configuration management including:
• Visibility - provides comprehensive visibility into images, registries, containers, deployments, and
runtime behavior
• Vulnerability management - goes beyond CVE scoring and image scanning to enforce full lifecycle
vulnerability management, from build and deploy, to runtime
• Compliance - helps ensure adherence to CIS benchmarks for Kubernetes and Docker as well as NIST,
PCI, and HIPAA
• Network segmentation - leverages native controls in Kubernetes to isolate assets, block deployments,
or kill pods
• Risk profiling - provides a stack-ranked list of all deployments with risk factors that identifies riskiest
deployments in need of immediate remediation
• Runtime threat detection - employs rules, whitelists, and baselining to accurately detect and prevent
suspicious/malicious activities
• Incident response - enables policy enforcement and incident response in real-time, from alerting to
killing pods to thwarting attacks during runtime
Ready to see StackRox in action?Get a personalized demo tailored for your business,
environment, and needs.
top related