We hit 1.5 Million Downloads + Kubecon NA 2023 Updates

Container Escape & Top 6 Security Updates from Kubecon NA 2023

Author

Shilpi Bhattacharjee
November 22, 2023

Thank You - This Newsletter is for You

Happy Thanksgiving

to those celebrating, but even if you are not we do want to take this moment to say that we are truly grateful for each and everyone of you and the love and support you have shown us through the years. Hope this weekend and coming days after are filled with love, gratitude and beautiful moments for you all !

Thank you for supporting the podcast and the newsletter and baring with us whilst we are getting some rhythm back into our newsletter. We been busy with lots of great events, meeting lots of you in person (Thank for all the warm hellos and support) + thanks to all your support we are very very happy to report that we hit 1.5 Million downloads on Cloud Security Podcast 😊

Whats ahead in this newsletter…

  • Kubecon NA Highlights: The Security Edition 🛡️

  • Cloud Security Podcast Update: Kubernetes and Secrets Management 🎙️

  • Upcoming Events and Meetups 🌍

  • Cloud Security News You Can't Miss 📰

  • It’s Conference season again (sometimes it does feel like that the whole year is a big conference season 😊). We, however do love them, despite the jetlags, way too many step counts in a day and weird meal timings and choices. Our team was at KubeconNA in Chicago, called the windy city for good reason. It architecturally beautiful but just a little chilly. It was a great way to soak up the latest and greatest in Kubernetes and Cloud Native Security.

Everyone seems to love a Top 5 List, so just to be controversial 😉, here is our Top 6 Kubecon NA Update (The Security Edition)

🛡️ Generative AI's Role in Cloud-Native Security 🤖

  • Generative AI was a major theme, with CNCF highlighting its role in cloud-native development. CNCF Executive Director Priyanka Sharma highlighted that "Cloud-native is the scaffolding of the AI movement,". The focus was on its potential to simplify complex tasks and assist development teams to scale rapidly. Key players like OpenAI and Nvidia utilize Kubernetes for scalability

  • With rapid scaling capabilities, the challenge for security lies in keeping pace with automation and assistance for faster security operations.

🔒 Kubernetes and Its Future in Security

  • Kubernetes co-founder and Google Distinguished Software Engineer, Tim Hockin spoke about considering a "complexity budget" for new use cases, including security. Its all about finding the balance between minimizing technical debt and enhancing security is critical for Kubernetes future

🏗️ Platform Engineering for Enhanced Security 🛠️

  • Platform engineering is emerging as a solution for managing Kubernetes environments with built-in security features. This would not be news for those in the Cloud Security space who saw this with public cloud first.

  • This includes auto-updating Kubernetes clusters, secure base images, and role-based access control, crucial for cyber​​security

👀 Monitoring and Observability in Security Operations 📊

  • Visibility Challenges: Dynamic cloud environments present unique challenges in security monitoring, necessitating diverse telemetry sources.

  • Vendor Contributions: Many vendors showcased updates aiding in observability, monitoring, and security ope​​rations.

🔗 Advances in eBPF for Security and Observability 💻

  • eBPF, a Linux kernel technology, is gaining prominence for networking, security, and observability in Kubernetes environments.

  • Notable Releases: Cillium, using eBPF, achieved CNCF graduation👩🏻‍🎓 and Tetragon 1.0 was released for Kubernetes security observability and runtime security 🎉

  • eBPF’s role in service mesh architectures and image vulnerability prioritization was particularly fascinating.

🔗🔐 Software Supply Chain Security Initiatives

Cloud Security Podcast This Week: Kubernetes Security Month + Secrets Management !

To compliment our attendance at KubeconNA, we kicked off this month with an episode with Nick Frichette and Christophe Tafani-Dereeper about container escapes in Managed Kubernetes, compliance benchmarks, Kubernetes security essentials, shared responsibilities, and escaping managed Kubernetes clusters. Let's jump right in! 🚀

🌐 Managed Kubernetes Explained

  • What Is It? Managed Kubernetes promises to simplify the complex setup process of Kubernetes, a powerful container orchestration tool. This usually refers to someone like a public cloud hosting your Kubernetes environment.

  • The Big Three (release year): Google Kubernetes Engine (2015), Amazon Elastic Kubernetes Service, and Azure Kubernetes Service (both 2018) are leading the charge.

  • Ease of Use: With managed Kubernetes, cloud providers handle some of the heavy lifting - from managing the control plane to scaling and monitoring.

  • Why Choose Managed? It's user-friendly, less time-consuming, and removes the intricate engineering required for self-setup.

⚠️ Pitfalls of Managed Kubernetes

  • Hidden Admin Access: In platforms like EKS, the creator of the cluster often gets secret admin access.

  • Security Challenge: Managed Kubernetes is like adding another layer to your cloud security - stay vigilant and monitor closely.

🏃‍♂️ Container Escape 101

  • Kernel Vulnerabilities: Most common escape method. Exploit kernel flaws to jump from container to host.

  • Recent Example: 'Dirty Pipe' vulnerability.

  • Indirect Escapes: Abusing permissions or accessing Kubernetes API can also lead to escapes.

  • Security Practices: Limit kernel access and over-privileges to prevent such escapes.

🛡️ Compliance Benchmark for Kubernetes

🍏 Kubernetes Security Basics

  • Low Hanging Fruits:

    1. Avoid Hardcoded Credentials: Don't leave cloud credentials exposed in your cluster.

    2. Enforce IMDSv2 on AWS: Restrict pod access to metadata services. Of course, as per AWS’s announcement, effective mid-2024, newly released Amazon EC2 instance types will use only version 2 of the EC2 Instance Metadata Service. (IMDSv2).

    3. Workload Identity on GCP: Ensure secure identity management.

    4. IAM Roles Awareness: Understand the roles and their access in your cluster.

🤝 Shared Responsibility in Managed Kubernetes

  • Control Plane Management: Cloud providers handle it, offering ease in updating and scaling.

  • Your Responsibilities: Configurations, access control, and understanding the attack surface.

  • Customization Levels: Options like AWS EKS on Fargate or GKE Autopilot offer different management levels, impacting security and flexibility.

🛸 Escaping Managed Kubernetes Clusters

  • From Pod to Cloud: Attackers can pivot from the pod to the wider cloud environment, using methods like accessing instance metadata services.

  • Stay Alert: Understanding these potential escapes is crucial for robust cloud security.

From Managed Kubernetes, we moved to the world of Secrets and Secrets Management and spoke to Ziad Ghalleb about how to do it right!

🗝️ What Are "Secrets" in Cloud Security?

But what exactly are these secrets? Ziad broke this down for us

  • Data Storage Secrets: These include credentials and URLs used for connecting to databases like PostgreSQL or MongoDB.

  • Cloud Provider Secrets: Keys that grant access to cloud infrastructure and resources, typically generated through AWS or Google Cloud consoles.

  • Messaging Systems: Essential for internal and external communication, these use secrets and API keys.

  • Developer Tools: Think GitHub personal access tokens or CircleCI API keys.

🔍 Keeping a Tab on Your Secrets: The Art of Observability

  • Awareness and Monitoring: Knowing where your secrets are and getting alerted if they leak is crucial. Continuous monitoring of tools like code repositories, Slack, and JIRA is necessary.

  • Incident Response: Establish clear processes for rotating and revoking compromised secrets without disrupting other services.

  • Preventative Measures: Implement scanners in CI/CD and shift secret security left with pre-commit and pre-push hooks.

📈 Secrets Management Maturity Levels: From Beginner to Pro

  • Initial Scan and Measurement: Assess your current state by identifying the number and location of leaked secrets.

  • Maturity vs. Capability: Shift focus from just implementing tools and processes (maturity) to achieving specific outcomes (capability).

  • Measurable Outcomes: Aim to significantly reduce the number of leaked secrets, working towards a zero hard-coded secrets policy.

🎯 How can you implement Secrets Management at your end?

  1. Implement Observability: Ensure continuous monitoring of all platforms where secrets might be shared or stored.

  2. Develop a Robust Response Plan: Prepare for secret leaks with a clear, efficient incident response strategy.

  3. Proactive Prevention: Integrate security tools early in the development process to catch secrets before they're committed.

Some useful links that Ziad shared:
Try - Has my Secret Leaked?

If you are attending AWS re:invent in Vegas next week, please do come and say hello to us 👋🏽. As usual we will be walking around to make sure we say hello to all our favourite cloud security folks, capture some fun interviews and insights for you all.

And if you can’t make it this year - Don’t fear, we have a bunch of exciting things planned just for you. Make sure you follow us on our socials to know where to find us 🙂 - though we are usually hard to miss 🦚

Incase this was forwarded to you? You can signup here for more Cloud Security

We are nearly at the end of 2023 and gearing up for a very exciting 2024, if there is a topic in Cloud Security you wanted to hear about and we are yet to cover it, let us know and we will make sure we have you covered in 2024!

Top Cloud Security News this week!!

🌐 Microsoft Ignite 2023 - A Showcase of AI + Security Innovations

  • Microsoft Ignite 2023 highlighted some pivotal developments in cloud, data, and security.

  • Key announcements included Microsoft Fabric, a 3D Immersive Teams spaces, and a unified platform integrating Microsoft Sentinel with Defender

  • Microsoft shared that the future of security with AI and announced new generative AI solution—Microsoft Security Copilot💡 which according to them combines their stated massive data advantage and end-to-end security, all built on the principles of Zero Trust.

  • Microsoft launched a generative AI-powered unified security operations platform with Microsoft Sentinel and Defender XDR melding SIEM, XDR, and AI capabilities. This platform aims to streamline threat response and provide comprehensive threat insights, and hopes to be a significant leap in security operati​​ons.

  • AI and Cloud Infrastructure Overhaul - revealed new cloud infrastructure innovations, including two Microsoft-designed AI chips – Azure Maia and Copilot Studio. These advancements are aimed at revolutionizing how AI workloads, including OpenAI models, are managed and executed.

  • Microsoft introduced Azure AI Studio and Model-as-a-Service, providing developers with a unified platform and a vast selection of generative AI models. This development aims to simplify AI integration and enhancing AI application s​​source

🎉 AWS Launches PartyRock - A New Era in App Development

  • AWS announced the introduction of PartyRock, an Amazon Bedrock Playground, marking a stride in generative AI and app development. PartyRock is described as a fun, intuitive, hands-on app-building platform, enabling users to create a variety of applications and experiment with generative A​​I

  • AWS emphasized accessibility and innovation, noting that PartyRock is designed to make app development available to everyone, regardless of their experience in software development and that this new service aligns with AWS's vision of democratizing generative AI technolog​​​y..

  • According to AWS, PartyRock is about letting users to enjoy the process of experimentation, learn prompt engineering, and build mini-apps.

Vendor Reports (Whilst we recognise many of these are sales and marketing tools, however they offer provide interesting industry insights so we will share them from time to time 😊) Their mention in this section are will always be unsponsored 🙂 

  • Long-lived Credentials as a Breach Cause: Organizations continue to struggle with securing their cloud environments, with long-lived credentials being a primary cause of security breaches​​.

  • Lack of Multi-factor Authentication (MFA) Enforcement: A significant percentage of IAM users in AWS and Azure AD authenticated without MFA in October 2023, highlighting a lack of proactive enforcement​​.

  • Rising Adoption of AWS IMDSv2: Although crucial for protecting against server-side request forgery attacks in AWS, only 21% of EC2 instances enforce IMDSv2, showing an increase from 7% the previous year​​.

  • Excessive Privileges in Cloud Workloads: A substantial portion of cloud workloads, particularly in Google Cloud VMs and AWS EC2 instances, have sensitive permissions that could allow attackers wide access in a cloud environment​​.

  • Risks from Publicly Exposed Virtual Machines: A notable percentage of EC2, Azure VMs, and Google Cloud VMs have at least one port open to the internet, increasing their susceptibility to brute-force attacks​​.

  • Rapid Targeting of New Kubernetes Clusters: Newly created Kubernetes clusters start receiving malicious scanning attempts within minutes, with EKS clusters being targeted in as little as 22 minutes after creation​​.

  • Low Usage of Network Policies: Only 9% of Kubernetes clusters use network policies for traffic separation, indicating a lack of adoption of this crucial security control​​.

  • Vulnerabilities Post-Initial Access: Once attackers gain initial access, they find ample opportunities for lateral movement and privilege escalation within clusters. Additionally, there's a significant gap in defense practices, especially regarding cloud impact​​.

  • Underutilization of Security Controls: One of the most concerning trends is the underutilization of existing security controls across the attack stages, underscoring the need for prioritizing security feature adoption​​.

  • Recommendations for Enhanced Security: The report suggests continuous scanning for external exposure, frequent updating of clusters, runtime protection, aggressive usage of in-cluster separation security controls, and continuous review of IAM and RBAC hygiene to mitigate risks​​.

Cloud Security Podcast in Nov/Dec 2023

In the coming weeks we will be sharing all the great conversations we have had at KubeconNA and all the interviews we have planned at AWS re:invent. We have a truly exciting line up!! Cant wait!

Also…. Dont forget to catch up on our new podcast !!!

Want to learn more about Cloud Security or know someone who wants to, we got you !

If you have been following our journey for a while, you would know that one of the big reasons we started Cloud Security Podcast was to make cloud security knowledge accessible for anyone wanting to learn it.

Have you joined our FREE Monthly Cloud Security Bootcamp yet

Are you liking this new format newsletter? What can we do better? What else would you like to see here?

Our newsletter is on a path of self improvement and reinvention, Ashish and I have challenged ourselves to bring you even more value as we continue to evolve this each week & we would love to hear from you 📢 as to how can we make this newsletter even more awesome for you (On that note! Thank you for subscribing💙)


Hope you are enjoying this new look Cloud Security Newsletter, theres plenty more to come.

Peace!

Was this forwarded to you? Sign up here

Want to partner with Cloud Security Podcast ! Lets make it happen

Have a topic or idea to share? Submit it here

Need Cloud Security or AI impact on Cloud Security Training or Consulting? Let’s Connect