Ermetic Adds Kubernetes Support to CNAPP
Ermetic has added Kubernetes support to its cloud-native application protection platform (CNAPP) that enables IT and cybersecurity teams to discover and fix misconfigurations, compliance violations and risky or excessive privileges.
Amy Ariel, chief marketing officer for Ermetic, says rather than requiring organizations to manage Kubernetes security in isolation from every other platform the Ermetic CNAPP enables them to consistently manage everything from protecting workloads and scanning infrastructure to entitlements.
The Ermetic CNAPP platform provides IT teams with a detailed inventory of the resources inside all Kubernetes clusters by querying the Kubernetes application programming interface (API). It then analyzes each cluster to continuously assess cybersecurity posture and prioritize risks based on vulnerability severity and provides guided remediation advice along with workflow templates.
The Ermetic CNAPP also makes it possible to enforce least privilege access policies for both users and services using the role-based access control (RBAC) mechanism built into Kubernetes.
The goal is to provide a layer of abstraction that makes it simpler to secure Kubernetes clusters. Kubernetes clusters were originally designed to be managed by software engineers rather than cybersecurity professionals or traditional IT administrators, she adds.
The Ermetic CNAPP achieves that goal by making it simple to cohesively address Kubernetes cluster configuration and vulnerability management, network security, role-based access control (RBAC), secrets management and runtime security without requiring engineers to deploy agent software, Ariel notes.
CNAPPs are at the core of an effort to reduce cybersecurity costs by centralizing the management of capabilities that previously would have required multiple point products that each have their own console. Most organizations today can’t hire and retain enough cybersecurity personnel, so a CNAPP makes it possible for a smaller team to manage multiple functions via a platform hosted in the cloud. That approach also serves to reduce the total cost of cybersecurity at a time when more organizations than ever are sensitive to the total cost of IT, notes Ariel.
It will be up to each organization to determine whether they want Kubernetes security to be managed by a cybersecurity team versus trying to rely on a DevOps team to enforce cybersecurity policies. Despite the rise of DevSecOps best practices, the level of cybersecurity expertise within a DevOps team tends to vary widely by organization. Many organizations today have little to no visibility into how secure their Kubernetes environments actually are. The more security tasks that can be managed by a security operations team, the more likely it is that policies will be consistently enforced.
In the meantime, the more Kubernetes clusters are deployed in production environments, the more tempting a target they become. Cybercriminals are scanning for Kubernetes misconfigurations that are routinely made by DevOps teams that don’t have a lot of cybersecurity expertise. Given all the time and effort required to build them, cloud-native applications running on Kubernetes clusters are likely to be among the most mission-critical applications an organization deploys. The challenge now is making sure those applications are secure before they are deployed versus after a breach occurs.
