Report Surfaces High Level of Kubernetes Insecurity in the Cloud
A report published by Cymulate, a provider of a cybersecurity platform for managing attack surfaces, found the instances of Kubernetes clusters made available by the three major cloud service providers are vulnerable to a wide range of potential cyberattacks.
The Cymulate Threat Research Group ran 14 simulations of Kubernetes-specific threat activities for each of the three major cloud service offerings, with the successful detection rate for all three providers ranging from 6.6% to 20%. The average score across Amazon Web Services (AWS), Microsoft and Google combined is 13.3%, according to the report.
All three cloud service providers also failed to log sufficient information to identify threat activity in eight threat simulations.
Michael Ioffe, senior security researcher for Cymulate, said the report makes it clear that additional cybersecurity tools and platforms are required to properly secure Kubernetes clusters running in the cloud. In addition, the logging tools that are provided.
Organizations that are relying solely on the tools provided to them by cloud service providers are essentially blind to a range of tactics and techniques that cybercriminals can employ to compromise Kubernetes environments, he added.
While cloud service providers have made it clear for years that cybersecurity is a shared responsibility, many organizations still don’t understand exactly what capabilities are being provided natively by cloud service providers to achieve that goal. Far too many organizations still assume that cloud service providers are providing a full suite of tools that run natively in their platform when, in fact, they either offer a capability as an additional subscription service or lack capabilities that can only be provided by a third-party platform.
That lack of clarity results in vulnerabilities that can be easily exploited simply because the assumptions being made about cloud security turn out to be deeply flawed. This issue can be especially problematic in organizations that allow developers with little to no cybersecurity expertise to provision cloud infrastructure on their own. As a result, large swaths of cloud services are often misconfigured in ways that, for example, leave open ports through which data can be exfiltrated. Given the inherent complexity of Kubernetes clusters, the probability there will be misconfigurations is exponentially higher.
In theory, the adoption of DevSecOps best practices will reduce misconfigurations. However, each organization will need to determine how best to implement those best practices in ways that don’t increase the amount of cognitive load required to attain and maintain. Most developers have little interest in cybersecurity, so the processes used to securely provision a Kubernetes cluster must be as frictionless as possible to ensure developer productivity isn’t adversely impacted.
It’s not clear how often Kubernetes environments in the cloud are being compromised, but given the mission-critical nature of many cloud-native applications, it’s safe to assume cybercriminal syndicates and nation-states are actively looking for ways to exploit any weakness. In fact, until proven otherwise, many organizations might want to assume that any Kubernetes cluster they have previously deployed has already been compromised.