Cyber Resilience with Kubernetes Security Posture Reviews
CloudCasa was built to provide data protection services for Kubernetes and cloud native workloads. As a SaaS backup solution for Kubernetes, CloudCasa was designed from the ground up to be a secure, well-architected, SaaS platform that improves a customer’s security posture against sophisticated cyber-attacks. CloudCasa’s SaaS service incorporates securing access to itself via multi-factor authentication (MFA), IP throttling, brute force attack prevention, SOC2/ISO 27001 compliant authentication, and secure API keys.
Backup data is secured via encryption in transit and at rest, and CloudCasa’s managed backup storage provides a virtual airgap and immutable recovery points via SafeLock™ protection.
Expanding on this theme of cyber resilience, we have now added Kubernetes Security Posture Review to CloudCasa to scan your Kubernetes environment for vulnerabilities and misconfigurations. Now with one service and at no additional cost, administrators and developers can both backup and recover their data and run Kubernetes security scans.
Addressing the Gaps in Kubernetes
Kubernetes is a powerful environment that can help you standardize and scale your application infrastructure. Unfortunately, with Kubernetes’ great power and flexibility comes increasingly complex configurations. With Kubernetes’ large number of parameters and configurations, human error becomes highly probable. Bad actors can exploit misconfigurations, and vulnerable components can sneak into your container images. As your environment grows, the complexity of managing multiple clusters amplifies these issues even further.
There are a multitude of threats that can attack your Kubernetes environment. Some common issues include wide open RBAC policies, vulnerable artifacts inside your containers, misconfigured networks, and workloads that have misconfigured permissions and resource limits.
Kubernetes Security Posture Scans
CloudCasa now includes the ability for users to perform automated security posture scans on Kubernetes clusters. It provides this capability using a curated collection of best-of-breed open-source security tools, which are packaged into our lightweight agent that runs in your cluster in the cloudcasa-io namespace.
The feature can be accessed in the CloudCasa UI under the new Security tab, where security issues can be searched, filtered, sorted, and flagged. Reports can be easily browsed, with several helpful views that can be grouped by different fields such as severity or type. An advanced filter allows you to quickly find the issues you’re looking for. There is a convenient bookmark feature that allows you to flag issues for review, and results can be exported in CSV format.
Free service plan users can perform up to three Kubernetes scans per cluster per month and store the results for up to 30 days. Premium service users can perform many more scans, can schedule scans to run automatically, and can store the results for longer periods. The following screenshot shows the Kubernetes security report for the Container Scan.
Managing your Kubernetes infrastructure and workloads is already complex enough. Cloudcasa simplifies the task of scanning large environments with multiple clusters. The CloudCasa service allows you to automate both your backups and security scans using scheduled protection and security jobs. Kubernetes security scan logic is integrated into the lightweight CloudCasa Agent, which is easily deployed via a kubectl command or Helm chart. Because the agent integrates both backup and security and CloudCasa is a SaaS hosted service, there is no need to deploy multiple tools and no need to setup dedicated infrastructure.
Comprehensive Security Reports
The Kubernetes security feature provides comprehensive scans and reports, including Container Scan, Configuration Scan, Benchmark Scan, and Network Scan. Container Scan reports vulnerabilities within your containers, including those in OS base images and in any dependencies. Configuration Scan performs a variety of checks to ensure that your Kubernetes pods and controllers are configured using best practices. Benchmark Scan runs checks that are defined by the CIS Kubernetes Benchmark. The Network Scan, from inside your cluster network, will auto discover all nodes, and will scan the network interfaces of each node.
The screenshot below shows the overview results for a Kubernetes scan.
Your Next Steps
In summary, we believe that protecting your Kubernetes data and your Kubernetes environment is the key mission for CloudCasa. With the addition of Kubernetes Security Posture Reviews, we have added even more value to the service. If you are an existing CloudCasa user, please login and update your CloudCasa agents to get immediate access to these new features. If you are new to CloudCasa, we invite you to sign up for our Free Service (no credit card required) and review your security postures and start protecting your persistent data.
Bob Adair
Brian Sietsma