Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
10:00 AM
Or Azarzar
Or Azarzar
Connect Directly
E-Mail vvv

Is Your Cloud Raining Sensitive Data?

Learn common Kubernetes vulnerabilities and ways to avoid them.

Kubernetes' market share continues to grow as organizations increase their use of containerized software and adopt cloud architectures. According to a Cloud Native Computing Foundation (CNCF) survey, Kubernetes use rose from 58% in 2018 to 91% in 2020. 

However, along with rapid growth, Kubernetes has already experienced a fair share of cyberattacks, with six major ones last year alone (CVE-2020-14386, CVE-2020-2121CVE-2020-8558CVE-2020-8559CVE-2020-10749, and CVE-2020-8557). This trend will most likely continue or even accelerate. As more Kubernetes clusters are put into production, bad actors will be motivated to find more security holes.

Related Content:

Cloud-Native Apps Make Software Supply Chain Security More Important Than Ever

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

Kubernetes containers often have loose security settings, sometimes by default, that hackers can leverage to execute a cyberattack. Lightspin inspected where our clients use "privilege" mode, which provides almost unrestricted access to resources on the host system; "privilege escalations," where processes are given expanded privileges; and "run as root," which allows unrestricted container management. Three-quarters of the companies surveyed matched one or more of the issues, and the average percentage of pods affected was nearly 25%. These permissions are often used for development purposes but present an unacceptable level of risk when containers are put into production.

Why Kubernetes Is an Easy Target
Some increases in attacks targeting Kubernetes are due to new trends in development environments. With the move to break systems down into smaller functions, many IT teams are developing microservices that each require authentication and access control and thereby open a new attack surface. Microservices tend to be highly volatile, with the ability to move and pop in and out, making it hard to defend all their respective entry points from hackers.

Cloud environments are becoming more complex, consisting of thousands of cloud assets from multiple vendors. Often, there is confusion about the borders of security between internal organizations and cloud vendors. Gartner research indicates that about 95% of cloud security breaches through 2022 will come from customer errors fueled by misconfigurations, myths, and misunderstandings. According to our internal research, it can take 270 days on average for organizations to even notice they have a misconfiguration issue gumming up their security. That gives hackers plenty of time to access systems and files and collect proprietary and confidential data.

Kubernetes ecosystems are often constructed from various third-party open source components, making it difficult to enforce standard implementations that include proper configurations and security authorizations. This lack of control is aggravated by an emphasis on speeding product delivery. DevOps deployments often race ahead of security, introducing new functions or services that are unprotected and increasing the attack surface.

Guidelines to Protect Against Vulnerabilities
Kubernetes comes with security controls that need to be customized for each organization and its risks. Since the programming environment is highly volatile, the process needs to be updated constantly. Here are some general guidelines to consider:

  • As Kubernetes is entirely API-driven, controlling and limiting who can access the cluster and what actions they are allowed to perform is the first line of defense. Make sure you lock down access to the Kubernetes API server by ensuring that the API server is accessible only from trusted subnets that utilize the appropriate firewall rules. The ideal scenario is to expose the server to a virtual private cloud (VPC) network instead of the open Internet. 

  • One of the most difficult challenges security teams face is the lack of full visibility into Kubernetes architectures. Your team needs to identify and nail down all the ports that connect to your hosts, containers, and virtual machines, just like you would do for any physical, on-site data resource. Look out for all the assets with undefined security profiles or loose default settings. Be aware that the Kubernetes default is that every pod can speak to all other pods with no security restrictions. One rule of thumb is to grant the lowest level of operating system privilege necessary while constructing containers. Ensure that anonymous authentication is disabled. 

  • Allow each microservice access to only the resources it needs. This way, a vulnerability in one microservice will not expose the rest of your system to an attacker. Make sure you inspect the authorized users for each storage asset. 

  • Investigate using a tool that will give you a visual map of a Kubernetes cluster that includes role-based access control (RBAC), networking, and configuration layers down to the microservice level. Seeing the relationship between all the components or the context of each vulnerability will put security incidents into perspective to prioritize alerts and take immediate action when needed. 

The best strategy is to focus on the attack paths that threaten the most vulnerable and valuable assets. Security systems that monitor traffic for anomalies can create an excessive number of alerts that take up valuable time. But by focusing on the assets you want to protect and protecting the cloud from the inside out, you can home in on the most urgent threats.

The race to innovate faster in our online digital economy is creating more attack surfaces that introduce a higher risk of data breaches. Having full visibility into all Kubernetes components, minimizing access to assets, and focusing on the attack path can secure environments while making the best use of security personnel. Understanding each threat's context is the best way to assess priorities and take action to protect sensitive data and prevent data breaches.

Or Azarzar is the Co-Founder and CTO of Lightspin, leading the company's development, security research, and engineering operations. As an innovative security product builder, he is a thought leader in the area of defensive and offensive product research and development. ... View Full Bio
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-01-28
Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the sett...
PUBLISHED: 2023-01-28
Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard...
PUBLISHED: 2023-01-28
Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and 3.1.0.beta2 on the `beta` and `tests-passed` branches, when submitting a membership request, there is no character limit for the reason provided with the request. This could potentially allow a user to...
PUBLISHED: 2023-01-28
OpenMage LTS is an e-commerce platform. Versions prior to 19.4.22 and 20.0.19 contain an infinite loop in malicious code filter in certain conditions. Versions 19.4.22 and 20.0.19 have a fix for this issue. There are no known workarounds.
PUBLISHED: 2023-01-28
Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and 3.1.0.beta2 on the `beta` and `tests-passed` branches, the contents of latest/top routes for restricted tags can be accessed by unauthorized users. This issue is patched in version 3.0.1 on the `stable...