Misconfiguration in Containers and Cloud: Risks and Fixes - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
DevOps
Commentary
2/27/2020
11:30 AM
Connect Directly
Twitter
RSS
50%
50%

Misconfiguration in Containers and Cloud: Risks and Fixes

Moving fast in DevOps can create points of security vulnerabilities that might go unnoticed until calamity strikes.

Organizations in a rush to transform could benefit from a moment of pause to avoid misconfigurations that might create unexpected, unnoticed exposure. The going trend is for enterprises to march forward with DevOps to ramp up their pace of deployment. Such haste could lead to gaps in security that might otherwise have been caught along the way. Experts from StackRox and Packet dissect some of the telltale signs of misconfiguration and how organizations can address them.

The mindset and mandate for many DevOps teams is to push code out fast with the goal of making their organization more agile, says Michelle McLean, vice-president of marketing for StackRox, provider of a Kubernetes security platform. This is not to imply developers do not care about security or are willfully negligent, she says. “However, it is not always the first thing they are thinking of.”

McLean is author of the StackRox’s latest State of Container and Kubernetes Security Report She says security has become more inherent within infrastructure in many ways, which has led new approaches to the development cycle. “Before, you used to build code then throw it over a wall,” McLean says. “Somebody figures out how to make it run, throw it over the next wall. Somebody figures out how to make it secure, now we go live.”

Image: WrightStudio - Adobe Stock
Image: WrightStudio - Adobe Stock

That sequence has been upended in the era of DevOps, she says, with different parts of the cycle sometimes overlapping and creating blind spots. “Now all of this is mixed up together and happening at similar timeframes,” McLean says. “When the mandate is to move fast, put out the code fast, you can miss a few things.”

The issue of misconfiguration is tied closely to the DevOps journey, says Jacob Smith, CMO and a co-founder of Packet, an on-premise cloud provider. He says this stems from how containers are deployed through DevOps automation versus IT administration. “It is a different workflow and one of the biggest areas of weakness is around network policy,” Smith says. Problems can be easy to miss, he says, because configurations change at a larger and larger scale as the infrastructure becomes more varied and migrates to the cloud.

Smith says supporting toolsets from Red Hat, Rancher, or VMware can monitor and improve visibility, so developers know which containers connect to what. The relative newness and rapid evolution of containers into a business imperative, he says, has made it a challenge for developers to keep up. “There’s so many things going on and it changes really quickly,” Smith says. “That’s a recipe for confusion; a lot of people new to it feel on edge.” This part of the DevOps landscape has matured rapidly in the last two years, he says, with new demands and needs emerging seemingly overnight.

“Everyone has to have a service mesh strategy though 18 months ago it didn’t exist,” Smith says. Security is an obvious area for potential fallout, but business inefficiencies due to misconfigurations can also be expensive. For instance, there might be an instance of out of control resource allocation by a container that could take down the server. “That’s the one thing it’s not supposed to do,” he says.

One of the key misconfiguration problems McLean highlights is not all security controls are always turned on by default. With containers and Kubernetes, there can be many moving parts with complicated infrastructures that are still being learned, she says. “The assumption is the developer will enable the security controls at some point.”

Michelle McLean, StackRoxImage: StackRox
Michelle McLean, StackRox

Image: StackRox

McLean recommends looking for certain hard-to-find elements, such as whether resources are read-only, or if they can be written to. Check if roles-based access control is enabled. “That is analogous to having writable containers,” she says. “If someone gains permission to make changes at the Kubernetes level, you are going to open to risk. That’s the keys to the kingdom. If I can get into Kube, I can get into all your assets.”

The potential for this type of exposure is likely to increase going forward, McLean says, as more companies containerize new apps they develop. “It is very likely these are some of your most important business essential apps,” she says. There is also the possibility that customer data may be held by those apps. “It is easy to make a mistake,” she says. “Organizations should help developers do things right.”

For more on security, DevOps, and misconfigurations, check out these stories:

Cloud Threat Report Shows Need for Consistent DevSecOps

Who's Responsible When IT Goes Awry?

Amazon S3 Slowed By Software 'Misconfiguration'

Joao-Pierre S. Ruth has spent his career immersed in business and technology journalism first covering local industries in New Jersey, later as the New York editor for Xconomy delving into the city's tech startup community, and then as a freelancer for such outlets as ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
The Best Way to Get Started with Data Analytics
John Edwards, Technology Journalist & Author,  7/8/2020
Slideshows
10 Cyberattacks on the Rise During the Pandemic
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/24/2020
News
IT Trade Shows Go Virtual: Your 2020 List of Events
Jessica Davis, Senior Editor, Enterprise Apps,  5/29/2020
White Papers
Register for InformationWeek Newsletters
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
Video
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Slideshows
Flash Poll