The old security model, which followed the “trust but verify” method, is broken. That model granted excessive implicit trust that attackers abused, putting the organization at risk from malicious internal actors and allowing unauthorized outsiders wide-reaching access once inside. The new model, Zero Trust networking, presents an approach where the default posture is to deny access.
Kubernetes provides the freedom to rapidly build and ship applications while dramatically minimizing deployment and service update cycles. However, the velocity of application deployment requires a new approach that involves integrating tools as early as possible in the deployment pipeline and inspecting the code and configuration against Kubernetes security best practices. Kubernetes has many security knobs that address various aspects required to harden the cluster and applications running inside.
Data breaches and ransomware are two of the biggest concerns businesses have about data security management and control. Data security is implementing the right procedures to protect your data, files, and user information on your network whether it is running locally or in the cloud. When deciding what types of data privacy security controls your business needs, there are several considerations to take into account.
Cloud security is the combination of tools and procedures that form a defense against unauthorized data exposure by securing data, applications, and infrastructures across the cloud environment and by maintaining data integrity. To read more about the basic principles of cloud security, check out our previous article on the subject. Cloud security is a constant concern for R&D teams, and more and more methodologies are being introduced to help teams achieve their goals.
Compromising a pod in a Kubernetes cluster can have disastrous consequences on resources in an AWS Elastic Kubernetes Service (EKS) account if access to the Instance Metadata service is not explicitly blocked. The Instance Metadata service is an AWS API listening on a link-local IP address. Only accessible from EC2 instances, it enables the retrieval of metadata that is used to configure or manage an instance.
Oftentimes, security attacks that were clearly recorded in logs go unnoticed. They are obscured by a large sea of log data created by most modern cloud environments. In some cases, like during a DDoS attack, there will be a huge spike in logs so it will be very clear what happened. In other situations, just a few logs will document the attack. Finding these logs can be like finding a needle in a hay stack. But if you know what to looks for, it doesn’t need to be so hard to spot these attacks.
HAProxy Enterprise handles SAML single sign-on for your applications and integrates with identity providers like Azure Active Directory.
Sysdig is pleased to support AWS today in their GA launch of Bottlerocket, a special-purpose operating system designed for hosting Linux containers. Orchestrated container environments run potentially hundreds of compute nodes. Operating general-purpose Linux on container hosts introduces complexity for IT teams who must patch and update packages across their clusters. Worse, features and packages that are not necessary for running containers, introduce unnecessary security exposure.
