CNCF to Add Another Security Certification

At the CloudNative SecurityCon North America 2023 conference today, the Cloud Native Computing Foundation (CNCF) announced that it will release a Kubernetes and cloud security associate (KCSA) certification. The KCSA certification will be available later this year.

Priyanka Sharma, executive director for the CNCF, told conference attendees the entry-level certification is part of a larger effort to encourage organizations to better secure open source software that is widely used to build cloud-native applications.

As more cloud-native applications are deployed in production environments, there’s now a lot more focus on container security. The challenge organizations face is that cloud-native security expertise is hard to find and retain. A recent 2022 microsurvey fielded by the CNCF found the biggest cloud-native security challenges organizations face are a lack of technical expertise and difficulty aligning DevOps workflows and continuous integration/continuous delivery (CI/CD) platforms.

The KCSA certification, currently in development, complements existing Kubernetes and Cloud Native Associate (KCNA) and Certified Kubernetes Security Specialist (CKS) certifications already available. The KCSA certification consists of a pre-professional exam designed for individuals before they take the CKS exam.

The KCSA certification will demonstrate a candidate’s basic knowledge of the security configuration of a Kubernetes cluster and evaluating whether it complies with security requirements, including developing security policies and procedures that align with industry standards and regulations, identifying and assessing security risks and vulnerabilities, implementing controls, assisting with incident response and forensic investigations, testing and monitoring security systems and educating and training other employees on security best practices.

The primary attack vector used to compromise cloud-native applications involves cryptojacking. Cybercriminals will create a malicious container that can be deployed on cloud infrastructure to surreptitiously mine cryptocurrency. However, those attacks also show how cloud-native application environments can be compromised. IT teams should assume that cybercriminals that have compromised those environments will share—for a fee—those techniques with cybercriminals trying to install more malicious types of malware.

The ephemeral nature of containers tends to lull organizations into a false sense of security because while an individual container might only run for a few minutes, another container with the same vulnerabilities will quickly be spun up. Once cyberattackers discover a container that has vulnerabilities, they’ll wait patiently for the next iteration of that container and then exploit those vulnerabilities. In addition, organizations routinely grant permissions for unused containers running as root, which creates additional opportunities for cybercriminals to escalate privileges once they compromise a set of credentials.

It’s not clear who, exactly, is responsible for container security, but as more responsibility for container security shifts left toward developers, it’s apparent there is a need for more training. Most developers today have limited or no cybersecurity expertise. At the same time, cybersecurity teams without container expertise are finding they are now responsible for securing container runtime environments.

Regardless of who is responsible for which aspects of container security, the odds are slim to none that they are currently proficient in all aspects of the practice.

Mike Vizard

Mike Vizard is a veteran IT journalist with more than 25 years of experience covering the technology industry, having previously served as Editor-in-Chief of both CRN and InfoWorld and as editorial director for Ziff-Davis Enterprise, where he oversaw titles including eWEEK, CIO Insight and Baseline. Over his career he has also edited or contributed to a wide range of enterprise technology publications, including IT Business Edge, Channel Insider, ComputerWorld, TMCNet and Digital Review, and he later led editorial for CTOEdge.com. His reporting and analysis span software development, cloud computing, cybersecurity, IT channel strategy and, more recently, artificial intelligence and DevOps practices. A recognized voice in enterprise IT journalism, Vizard is known for tracking emerging technology trends as they move from early adoption into mainstream enterprise use. He now serves as Chief Content Officer for Techstrong Group, where he oversees editorial strategy across the full network — DevOps.com, Security Boulevard, Cloud Native Now, Digital CxO, Techstrong.ai, TechStrong.IT, Techstrong Semi and PlatformEngineering.com — in addition to writing and hosting content for Techstrong TV and the Techstrong Gang podcast.

    Mike Vizard has 1813 posts and counting. See all posts by Mike Vizard