CNCF to Add Another Security Certification
At the CloudNative SecurityCon North America 2023 conference today, the Cloud Native Computing Foundation (CNCF) announced that it will release a Kubernetes and cloud security associate (KCSA) certification. The KCSA certification will be available later this year.
Priyanka Sharma, executive director for the CNCF, told conference attendees the entry-level certification is part of a larger effort to encourage organizations to better secure open source software that is widely used to build cloud-native applications.
As more cloud-native applications are deployed in production environments, there’s now a lot more focus on container security. The challenge organizations face is that cloud-native security expertise is hard to find and retain. A recent 2022 microsurvey fielded by the CNCF found the biggest cloud-native security challenges organizations face are a lack of technical expertise and difficulty aligning DevOps workflows and continuous integration/continuous delivery (CI/CD) platforms.
The KCSA certification, currently in development, complements existing Kubernetes and Cloud Native Associate (KCNA) and Certified Kubernetes Security Specialist (CKS) certifications already available. The KCSA certification consists of a pre-professional exam designed for individuals before they take the CKS exam.
The KCSA certification will demonstrate a candidate’s basic knowledge of the security configuration of a Kubernetes cluster and evaluating whether it complies with security requirements, including developing security policies and procedures that align with industry standards and regulations, identifying and assessing security risks and vulnerabilities, implementing controls, assisting with incident response and forensic investigations, testing and monitoring security systems and educating and training other employees on security best practices.
The primary attack vector used to compromise cloud-native applications involves cryptojacking. Cybercriminals will create a malicious container that can be deployed on cloud infrastructure to surreptitiously mine cryptocurrency. However, those attacks also show how cloud-native application environments can be compromised. IT teams should assume that cybercriminals that have compromised those environments will share—for a fee—those techniques with cybercriminals trying to install more malicious types of malware.
The ephemeral nature of containers tends to lull organizations into a false sense of security because while an individual container might only run for a few minutes, another container with the same vulnerabilities will quickly be spun up. Once cyberattackers discover a container that has vulnerabilities, they’ll wait patiently for the next iteration of that container and then exploit those vulnerabilities. In addition, organizations routinely grant permissions for unused containers running as root, which creates additional opportunities for cybercriminals to escalate privileges once they compromise a set of credentials.
It’s not clear who, exactly, is responsible for container security, but as more responsibility for container security shifts left toward developers, it’s apparent there is a need for more training. Most developers today have limited or no cybersecurity expertise. At the same time, cybersecurity teams without container expertise are finding they are now responsible for securing container runtime environments.
Regardless of who is responsible for which aspects of container security, the odds are slim to none that they are currently proficient in all aspects of the practice.