ArticleCloud Native ComputingDevOpsDevSecOpsOpen SourceSecurity

Security In Plain Sight

padlock encryption security

Security doesn’t require obscurity. Today’s cloud users know that the safest applications put security front and center while still allowing for customization to meet specific needs. When securing the platform, being able to rely on industry-standard cloud native technologies is essential. If security is the “what”, compliance is the “why”. Kubernetes has been a game changer for many organizations, and with the velocity it enables, compliance matters even more. The intersection between cloud native architectures, open source tooling, and  operational governance has amplified the need for simpler ways to achieve granular controls that balance speed and confidence.

At Azure, we solve enterprise security concerns by building cloud native ecosystem projects in open source communities. We find that open-source tooling is the best way to enable highly secure enterprise-ready Kubernetes. Your journey may look something like this: as an operator of enterprise Kubernetes clusters, you want controls built into the platform, so you can remain in compliance while achieving your goals. Add in a dash of governance and accelerate your progress with cloud-native tooling, and we’re in business. Let’s look at how a number of open source projects we’re investing in add up to superb cloud native security.

What can give us the advantage of built-in compliance? Let’s start by establishing consistent policies across all runtimes in your environment.  Built on top of the Open Policy Agent project, Gatekeeper provides the ability to evaluate and validate configurations being deployed to a Kubernetes cluster. Users can craft their policies using constraint templates written in Rego, a declarative query language for OPA. Gatekeeper’s community policy library helps you craft policies to meet your operational compliance requirements, such as using only authorized container registries and container images. Open Policy Agent has recently achieved CNCF graduation, and Gatekeeper v3 is stable and recommended for production use.

Granular control of what’s running on our clusters is a good start, but authorization also requires authentication. The Azure Active Directory Pod Identity open source project provides you with the flexibility to control the access allowed for a specific application running on Kubernetes. With a central directory for authentication of pod identities, cluster operators can configure fine-grained controls on authorizing pods to access resources outside the Kubernetes cluster. For example, you can allow an application to access a database without needing to add logic inside of your application. The goal: simplify your cloud native applications by moving the authorization logic out of the container and onto the Kubernetes cluster itself.

Many enterprises are operating in an environment where existing choices around key management must be incorporated into new projects. Happily, it’s possible to extend your existing key-management system to also handle upcoming needs. Safely store those essential credentials outside of your cluster with the Secrets Store CSI driver project. This allows Kubernetes to mount multiple secrets, keys, and certs from external secrets stores into the cluster’s pods as a volume, ensuring the necessary compliance and consistency.

Fine-grained control doesn’t stop with key management; it’s also necessary if we want to handle traffic shaping and KPIs of metrics for applications running in our Kubernetes clusters. Enter service meshes, which simplify securing and routing traffic both inside and outside a Kubernetes cluster. Open Service Mesh is an implementation of the Service Mesh Interface specification with these project goals in mind: OSM must be simple to understand and contribute to; effortless to install, maintain, and operate; painless to troubleshoot; easy to configure via SMI. Moving mesh-specific configuration out of the applications allows cluster administrators to make it an operational configuration component. And with mTLS encryption, you can meet your enterprise-grade data provenance and integrity guarantees.

Protecting data in transit and at rest isn’t enough – we also need to protect data in use. Data integrity requires a trusted execution environment. Based on the Open Enclave SDK, Mystikos supports unmodified Linux binaries, such as many golang programs, and makes it easy to migrate from Docker containers to the SGX trusted execution runtime. Conversations around compliance are streamlined by the assurances that you can audit, inspect, and edit components up and down the stack.

In today’s risk environment, nothing is more certain than the need for verifiable controls that ensure all necessary security and compliance policies have been met. If any of these open source projects overlap your needs, please join us on GitHub. We’ll be delighted to connect in the community and to learn more about your environments and needs. We’re building industry-leading security tooling with the open source community, and we’d be happy for you to join us.

Join the cloud native community at KubeCon + CloudNativeCon Europe 2021 – Virtual from May 4-7 to further the education and advancement of cloud native computing.