Protecting Kubernetes Environments: NSA's Guide

The US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a thorough guide on securing Kubernetes environments, focusing on national security systems and critical infrastructure. However, the authors encourage other organizations to adopt their recommendations, as container security is a concern for all.

Protecting Kubernetes Environments


Attackers' Motivations

According to the guide, data theft remains a primary motivation for attackers, with computational power theft (especially for cryptocurrency mining) and Denial of Service attacks also being common goals. The top threats identified include supply chain risks, malicious actors, insider threats, and misconfigurations.

NSA Recommendations

The guide provides an overview of Kubernetes architecture, describes security challenges, and offers recommended hardening measures and mitigations, including sample configurations. Kubernetes administrators should:

  • Scan containers and pods for vulnerabilities and misconfigurations.
  • Run containers and pods with the least privileges possible.
  • Use network separation to limit damage from compromises.
  • Implement firewalls and encryption to control network connectivity and protect confidentiality.
  • Enforce strong authentication and authorization to limit user and administrator access and limit the attack surface.
  • Use log auditing to monitor activity and detect potential threats.
  • Periodically review Kubernetes settings and apply vulnerability scans to ensure security patches are applied.

Implementation Challenges

Dev, DevOps, and DevSecOps professionals have expressed concerns about the ease of implementing NSA's recommendations, particularly regarding security never being a top priority. Third-party containers and apps are often seen as a "complete tire fire" with vulnerabilities and configuration issues. Some suggest building everything in-house, but this is resource-intensive.

Patch management is also a challenge, with "sometimes" rarely meaning "now" and usually meaning "after the busy season." Deception technology can be a valuable addition to a security strategy, with forward-looking organizations implementing Defense in Layers (or Defense in Depth/Breadth) and deploying containers-specific security controls.

Incorporating deception into Kubernetes applications to detect exploits, discovery, and lateral movement has never been easier, with solutions like NeroSwarm Honeypot available.

A Call for Integrated Security Strategy

In conclusion, the NSA's guide provides valuable insights into securing Kubernetes environments. Implementing their recommendations may be challenging, but incorporating deception technology can help organizations stay ahead of attackers. By making security a top priority and integrating it into their CI/CD processes, businesses can protect their containers and ensure the security of their systems.