Container security needs governance • The Registry
Sponsored In the first article of our four-part series on Kubernetes in the Enterprise, we described the data services that underpin a properly built Kubernetes container environment. Data security, data governance, data resiliency and data discovery are the pillars that support the evolution of Kubernetes from raw storage, persistent or ephemeral, to true data services suitable for deployment in enterprises.
In this article and the following, we’ll explore these specific data services. Here we cover data security and data governance together, as these are kind of two sides of the same coin. You can think of security as a layer of data governance, or data governance as a top-level type of security.
With containers floating around a cluster of machines, generating microservices chunks of code, and requiring data access, securing data at the storage layer under Kubernetes and from the platform is critical. Kubernetes itself.
“Data security is a hot topic right now, especially when you think about cyber resilience and the ability to resist attacks on your infrastructure and, more importantly, your data,” says Pete Brey, Director of Big Data Marketing at Red Hat.
“The point is, there are a lot of cybercriminals out there trying to access customer data and other confidential information, and the first line of defense is encryption. Fortunately, over the past decade encryption has come a long way. Part of the reason is that we have more advanced processors that can quickly encrypt data on the fly without penalizing measurable performance. Several years ago performance was a big issue for the industry and a lot of data wasn’t encrypted when it should have been. But that’s no longer a problem.
Encryption in a K8s environment
As with other application and system software, encryption in a Kubernetes environment typically involves encryption of data in flight as it moves as well as at rest on physical storage such as disk drives and flash devices. or even public cloud storage. Increasingly, even main memory is also encrypted, with the help of processors from Intel, AMD and others, and some processors now have ways to manage security encryption keys that are out of the reach of hackers.
These encryption and decryption functions, vital for all software, are handled by processors, which now have specialized cryptographic accelerators. This means businesses no longer have to spend thousands of dollars to install ancillary cryptographic coprocessors on a server’s PCI-Express bus. It also means that they don’t have to take the hit of latency in their applications and system software when data enters a processor, is passed to the accelerator for encryption or decryption, and then stored in memory for processing or transferred to storage. To keep safe.
This native wire-speed encryption and decryption has transformed security in the data center. And as encryption has become commonplace, it has become ubiquitous.
The Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS) have become essential for data security. Using public key cryptography, TLS authenticates the identity of participants who share data through internet protocols and secures data transfer with symmetric key cryptography where keys are uniquely generated for each connection between applications on separate machines. The idea is to have unique keys that are also long and complex, thus ensuring that they are difficult to decipher or hack.
Let me tell you a secret
There are many applications that need to handle sensitive information, and Kubernetes is no different. The container management platform has a build called Secret, which allows sensitive data related to containers and their pods to be stored and managed from within Kubernetes. Disregarding this information and securing it independently is both safer and more flexible than embedding it in a container image or pod definition. Secrets are used not only for encryption keys, but also for OAuth tokens, SSH keys, passwords, and other sensitive information. Data is encrypted at rest in the Secrets system and may have role-based access control (RBAC) enabled to restrict reading and writing of secret data.
Everything that applies to security and governance in the enterprise applies to Kubernetes
The good news for organizations is that there are ways to hook the Kubernetes platform into the existing security and governance framework. “Everything that applies to security and governance in the enterprise applies to Kubernetes,” says Brey. “All of the concepts still apply – key management, to take an example – and you don’t have to buy a lot of extra stuff. Much of this is already built into our OpenShift Kubernetes platform, for example. Red Hat Enterprise Linux has cryptographic modules, which are used by OpenShift, Ansible, Ceph, and other parts of the Red Hat stack.
Data governance can’t be an afterthought, and just because we’re talking about it second in this story doesn’t mean it plays the second fiddle to data security. Security without governance is not really security, and governance without security is not really governance at all. If you let someone unlock data, you need to make sure you know who they are, both when the data is unlocked and afterwards when you might need to walk an audit trail using logs. to try to find a hacker.
Security without governance is not really security, and governance without security is not really governance at all
Given this natural dependence, many people associate security measures with some kind of sufficient governance. “In fact, security and governance are quite different,” Brey explains. “Security has more to do with the technical controls that are in place around physical data. Governance is a higher level issue, which encompasses security, but also includes procedures and protocols for who can access data and how.
In many industries, the immutability of data is also a kind of security, which is not the same as encrypting it or monitoring its access like a hawk. This write-once, read multiple times, or WORM, storage is integral to specific industries, such as financial services and healthcare, allowing data to be immutable for a specific amount of time, often on storage. transactional or object. The auditing and logging functions as well as immutable data functions required here – and probably useful in many industries – are included with OpenShift Data Platform, Ceph object storage, and other system software. All you have to do is turn it on.
Sponsored by Red Hat.