Kubernetes安全态势管理(KSPM) is the process of putting into place a system for ensuring the defenses of Kubernetes – also referred to as K8s – clusters are sound 和 that they comply with internal 和 external security st和ards.
据云安全联盟称, “KSPM”还包括它的预测能力, 防止, 并响应与Kubernetes相关的不断变化的网络威胁.” Modern cyber threats are ever-evolving; this means there will be an inherent ephemeral nature to securing Kubernetes clusters running on cloud or hybrid environments.
在我们进一步讨论之前,让我们用一个基本的定义来重新审视一下:
Kubernetes 是开源的, 用于管理容器化应用程序工作负载和服务的容器编排平台. Kubernetes is in charge of container deployment 和 also manages the software-defined networking layer that allows 容器 to talk to one another. 该平台是可移植的,便于声明式配置和自动化.
Securing the management of containerized workloads across environments includes practices like leveraging role-based access controls (RBACs), 限制API访问, 确保Kubernetes本身是最新的, 并进行主动扫描和监控.
给组织分配自我遵守KSPM的任务将决定其成功, particularly as – according to Gartner® – by 2026 more than 90% of all enterprises will extend their capabilities to multi-cloud environments.
KSPM和 云安全态势管理(CSPM) 是容器化的工作负载还是托管这些工作负载的基础设施. 因为这两种方法并不完全相同, let’s take a look at some of their key technical differences to gain clarity on any potential confusion:
这里需要注意的一个切题的方面是 责任分担模型. This underst和ing between cloud service providers (CSPs) 和 end-users of those CSP 服务 essentially prescribes that a CSP will be responsible for managing its security posture while an end-user/customer will be responsible for managing its 集装箱安全 对于那些在CSP的云平台上运行的实例.
KSPM works by ensuring that K8s container defenses are properly secured; this is also known as hardening. 在监控Kubernetes环境的过程中发现配置错误, 漏洞, 或者违反法规, it's a good idea for IT 和 security teams to leverage automation to enact the bulk of these defense-hardening techniques.
KSPM解决方案应该帮助组织定义Kubernetes集群的安全策略. 在 Kubernetes加固指南, the Cybersecurity Infrastructure 和 Security Agency (CISA) recommends a set of KSPM best practices for securing Kubernetes clusters:
在指南中, CISA also goes on to say that “Administrators should periodically check to ensure their system's security is compliant with the current cybersecurity best practices. Periodic vulnerability scans 和 penetration tests should be performed on the various system components to proactively look for insecure configurations 和 零日漏洞. Any discoveries should be promptly remediated before potential cyber actors can discover 和 exploit them.”
KSPM is important because it acts as a safety net for containerized workloads running in a Kubernetes cluster. Ensuring security posture is also important because K8s clusters are constantly expanding to meet the needs of DevOps teams. 然而, it is the responsibility of the security organization to ensure the security of the previously mentioned containerized workloads.
希望这将导致最终创建一个 DevSecOps 文化——KSPM只是其中一个方面. 如前所述, K8s clusters – as well as other workload types – tend to exponentially expand as a business adopts a faster rate of growth. 因此, it becomes imperative for security to integrate as seamlessly as possible into the application-development process; within the cybersecurity world, 这个过程也被称为“向左移动”.”
的 CI / CD 过程就像听起来一样快节奏. 工作负载不断增加,以满足软件更新等需求. 对于开发人员来说,这似乎是一个直截了当的问题. 然而, 这些工作负载通常被交付到实时和可公开访问的环境中, 因此,它们必须尽可能地安全,以免容易受到攻击者和破坏.
Thus security – instead of checking processes after they’re complete – must be automated to integrate into that continuous development so that the process is constantly being checked as it’s happening, 而且“发货”的产品是尽可能安全的. KSPM进程可以帮助确保kubernetes运行环境中的这种安全完整性.
就特定的KSPM解决方案而言,对于一个 SOC to analyze its unique environment in which it is running K8s so that money is not wasted on unnecessary operations. Let's take a look into some of the more general aspects of a KSPM solution that could be applicable across most use cases.
互联网安全中心(CIS)成立 一定的标准 KSPM解决方案应该与之保持一致. 的se benchmarks for Kubernetes network security define a st和ard by which to determine the state of security in a Kubernetes cluster running either on-prem or in cloud environments like AWS, GCP, or Azure.
除了, 当发现安全缺陷时,基准测试为补救提供指导. 这些基准通常被直接合并到解决方案的技术中, 允许公司使用Kubernetes集群,同时确保CIS合规性.
一旦安装了KSPM解决方案并将其配置为监视Kubernetes集群, it will scan container-configuration resources potentially exposed via API; these can include pods, 容器, 服务, 和部署.
分析师s should then be able to see this scan data in a single model representing both infrastructure 和 containment. 以这种方式, a KSPM solution analyzes data for configuration 和 security issues according to policies defined by regulations such as PCI DSS, GDPR, HIPAA.
如果威胁迫在眉睫或存在主动破坏,维护正在运行的应用程序至关重要. KSPM解决方案通过允许轻松的应用程序可移植性使这成为可能. Applications can be automatically replicated from one cloud server to another in order to maximize redundancy in case of an incident.