Container security specialist NeuVector today announced the release a new open-source toolkit that helps enterprises test their Kubernetes 1.6 deployments against the Center for Internet Security's guidelines.
Kubernetes 1.6 is the latest version of the popular automated container deployment and orchestration platform. While IT shops are flocking to its microservices-friendly feature set, those same agile DevOps-enabling capabilities can pose a security risk if improperly managed, explained Fei Huang, CEO of NeuVector.
"The use of pods, virtual services, and other key concepts have made Kubernetes containers very flexible for grouping, clustering, load balancing, and scaling," explained Huang. "At the same time, though, it brings on certain levels of complexity. For example, internal east-west network traffic may include more network hops, and containers are changing (location, hosts, quantity) more frequently."
It's a flurry of activity that can mask dangerous attacks.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"This makes it more difficult to track compromised containers (so it becomes easier and faster for attacks to spread)," said Huang. "Diving into some networking details: when microservices are talking to one another, they may not be using a direct container-to-container connection. Instead, pods and services have virtualization layers in between them."
These layers can obscure network visibility and security monitoring, Huang explained. Following the CIS benchmarks for Kubernetes 1.6 can help organizations overcome these challenges, particularly as they scale their deployments.
In addition to the tools that businesses can use to test their Kubernetes setups, Huang's company has incorporated CIS's compliance benchmarks (currently in beta) into its own container security platform.
"NeuVector was built to support hyper-dynamic containerized environments like those enabled by Kubernetes," Huang said. "We take a zero-trust security model, assuming unknown connections are suspicious. We provide multiple layers of protections around containers, include auditing the environment for CIS security benchmark compliance, scanning all running containers and hosts for vulnerabilities, and monitoring hosts and containers for privilege escalations and breakouts."
NeuVector's CIS-compliant auditing functionality and monitoring capabilities add another layer of protection to the company's AI-inspired container security platform.
"These are in addition to our core run-time Layer 7 firewall features, which use application behavioral learning to automatically create container security rules," added Huang. "The security protection features are enabled in an automated fashion, meaning that security can be built seamlessly into our customers' container management workflow or process."