Using Kubernetes to Secure Data

Data loss and ransomware are two of the biggest threats to data security today, especially as malicious actors turn their attention to the cloud. Even with security perimeters in place, bad actors are determined to map out new methods and tactics to penetrate these cloud-based environments.

Although it’s impossible to predict or prevent every attack, there are security measures and practices that can help reduce the risk. Cloud-native development practices can help your organization ensure that these solutions are more resistant to attack. Kubernetes, for example, is a tool that can help.

CloudNative Summit

Kubernetes is a container orchestration system that helps you automate the process of deploying, scaling and managing applications that are run in containers. This system separates compute loads and storage into microservices with their own independent life cycles.

But how can you leverage Kubernetes to ensure secure data? This article will discuss the ways cloud computing teams can do just that.

Process and Guard Program Data Anywhere

Kubernetes fulfills the promise of run-anywhere mobility and transparency since every expanding application estate, in the long term, must be expanded to include multiple acquired vendor platforms and consumer domains.

You should be able to protect, recover and restore open source-based data without being locked into a specific cloud infrastructure or delivery pipeline. Kubernetes enables this because it is agnostic to the type of container, orchestration, runtime and hardware. You can use it with public clouds, on-premises deployments and edge locations.

Let’s use a veterinary business as an example, as it has various compliance requirements for handling customer data. The business could use a hybrid cloud strategy with animal health records in the public cloud and client contact information stored on-premises.

Kubernetes would let the business adopt a “lift and shift” migration strategy for its animal health records. With this approach, the company could move its workloads to the public cloud without having to refactor them.

In addition, Kubernetes supports multiple container runtimes (such as Docker, rkt and CRI-O) and orchestration systems (like Swarm Mode). This makes it easy to migrate from one type of infrastructure to another—for example, from virtual machines (VMs) to containers—without feeling locked into any one system.

Planning for Recovery: Policy-as-Code

Make sure you have a plan in place in case an attack happens. The plan should include defining what kind of cybersecurity you will have, your recovery procedures and how your architecture is set up. You can store your protection assets in a repo with additional infrastructure-as-code definitions.

Developers and operations teams can use an interface like Kasten’s K10 to create and manage post-deployment policies for data on active users. This entails establishing backup periods and intricate sequences of reset procedures for numerous hybrid IT storage volumes, including unchangeable fail-safe backups.

Minimize Cost Surprises With Dynamic Storage and Backup Policies

Having a plan for when (and how) you will scale your data storage as your application or company grows is crucial. This way, you can avoid the cost surprises that come with not being prepared for an influx of users or data. For example, with bitcoin and other cryptocurrency wallets, you need to have a way to store the private keys for each user’s account. This is to ensure that the user has control over their funds and prevent any data loss.

Engineers can use a tool called Kubestr to find many potential storage volumes for their Kubernetes clusters. These storage volumes have different protocols and permission settings.

It’s easy to overlook critical components of your infrastructure during a crisis, and restoring them can be time-consuming and expensive. Worse yet, storage assets that appear reasonably priced at first may increase dramatically in months, especially if traffic rises and multiple teams require different storage spaces. Maintaining adequate fail-safes for safety may soon become cost-prohibitive.

Making sure your application teams have consistent backup and restore service goals may help eliminate the manual labor and guesswork needed for budgeting against failures and cost overruns.

Prioritize Time-to-Restore While you Have the Opportunity

The last thing you want is to be ambushed by how long it takes to restore your data after an unexpected ransomware attack. This is why it’s important to focus on time-to-restore (TTR) before you actually need to use it. TTR is the time between the start of a restore process and the moment when the application is again available to users.

Businesses want to minimize the time their transactions are lost between a service outage and the completion of the cleanup process. This is measured by the recovery point objective (RPO), and they must also achieve the recovery time objective (RTO). The RTO calculates the time it takes to return to the production level and its data to resume functioning.

Automation policies such as cross-cluster exports and imports, reducing errors and lag times in detecting and resolving problems, and implementing standard operating procedures such as change management can all help you improve your results.

Limit Communications by Monitoring Network Traffic

Most containerized applications rely heavily on cluster networks. Examine current network traffic and compare it to the amount of traffic permitted by Kubernetes network policy to see how your app interacts with other services and identify anomalies in communications.

When you compare active traffic to permitted traffic, you may discover network restrictions that aren’t used by cluster workloads. This data might be utilized to fine-tune the allowed network policy, removing any unnecessary connections to minimize the attack surface.

Use Whitelisting Processes

Although applications may be written to make use of an individual’s privacy settings, they might still create a list of running processes. Unwanted running processes are often identified using process whitelisting. To begin, keep track of the application for a while to identify all active processes during typical application operations. Then use this list as your whitelist going forward.

As new processes are started, if they don’t appear on the whitelist, then they can be blocked or monitored for suspicious activity. Not all illegitimate processes will be caught this way, but it may help prevent some attacks.

Consider Third-Party Authentication for the API Server

It’s a good idea to connect Kubernetes with a third-party authentication system (for example, GitHub). This feature keeps the kube-apiserver from changing when users are added or deleted by providing extra security measures such as multi-factor authentication. Make sure users aren’t handled at the API server level if possible. You can also use OAuth 2.0 connectors like Dex to connect with APIs.

Final Thoughts

Setting up all the right security measures can be frustrating, only to have something go wrong and watch everything unravel. As you work to make your system more secure, keep in mind these final tips:

  • Test, test and test again. The only way to know that your system is secure is to put it through its paces with regular testing.
  • Have a plan. No security measure is perfect, so it’s important to plan what you’ll do if something goes wrong.
  • Keep an eye on the future. As new threats emerge, make sure to stay up-to-date on the latest security measures so you can keep your systems safe.

To keep your application secure in a cloud-native environment, you need to be proactive about data security. By taking the time to understand the unique challenges that cloud-native data protection presents, you can be better prepared to defend against potential threats. And by following these tips, you can help ensure that your data is safe and sound before production.

Nahla Davies

Nahla Davies is a technical copywriter and former software specialist and lead programmer at several major technology companies whose clients include Collibra, UpGuard and Netflix. Since 2015 Davies has worked with enterprise clients around the world developing RegTech protocols and best practices. She worked both enterprise side and with sovereign governments acting as a key contributor for notable public projects like DCOM. Since 2020 Davies has taken a less active role in compliance consulting and started sharing my insights as a technical copywriter. Visit to learn more.

Nahla Davies has 10 posts and counting. See all posts by Nahla Davies