In this digital age, organizations are increasingly adopting cloud-native technologies such as Kubernetes to manage their infrastructure and applications. With this shift comes new challenges, particularly when securing sensitive data and protecting critical infrastructure against cyber threats.
In a Venture Beat article discussing the benefits of viewing Kubernetes’ implementation within a Zero Trust perspective, Kubernetes’ vulnerabilities were found in its “relative newness and dynamic operating paradigm”, making the solution a target for cyberattackers.
A Zero Trust approach is essential to implementing Kubernetes securely, but there’s a few fundamental steps along the way.
First, security teams need to be asking questions and making decisions about what their policy rules are going to be for communications between their computing nodes. If the essential minimum types of connections and communications have not been identified, there is no way to know how to design a system securely.
‘Secure everything’ is a great idea—but can your team figure out all the details to actually do it? In practice, enterprise-scale services are so complex that they often cannot be fully secured in the way that Zero Trust demands. Some components (like Kubernetes clusters and nodes) are modern and more easily addressed, but security teams may not be capable of fully securing legacy applications.
Once a team has answered questions surrounding communication concerns, the next step towards implementing a version of Zero Trust is giving secure and trustworthy identities to all the nodes and applications in a system.
If you know the identities, you can apply a security policy to let them connect or enforce an exclusion as necessary.
Identities require digital certificates, and that’s where SecureG comes in.
Unlike traditional PKI, which was developed for web servers and employee credentials, SecureG’s solutions are designed for machine speed and machine scale—especially when there’s no human in the loop.
Our technology can help you build a strong PKI backed by the strongest possible root of trust for critical infrastructure. Contact us today to learn more.
The 2022 Cloud-native Application Protection Platform (CNAPP) Analysis Report found that “96% of organizations are either using or evaluating Kubernetes, and 93% of them are currently using or are planning to use containers in production” (Research and Markets).
This confirms what we all know to be true—the present and future of enterprise computing is in the cloud, managed by tools like Kubernetes.
The advantages of cloud orchestration tools like Kubernetes over older server management approaches are clear: scalability without manual intervention, portability on multiple cloud providers, and declarative configuration that allows for less management by humans. For these reasons, we’ve seen a massive shift towards Kubernetes implementations.
Great popularity can also bring great vulnerability. With the proliferation of Kubernetes use, cyberattackers have learned how to exploit the same weaknesses among enterprises that utilize this open-source software.
In the rush to take advantage of better tools, enterprises should proceed with caution. Security teams must pause to think through the basic questions about security for their data and systems. Basic doesn’t mean easy: what we’re talking about here is understanding how your systems issue digital certificates to your Kubernetes nodes and whether you can really trust those identities to mean something.
Just using a service mesh in Kubernetes is not enough. The defaults typically stand up a software-based certificate authority that automatically issues identity certificates to all nodes in the cluster. This is very convenient, and very insecure. The default configuration essentially assumes your system is already secure, instead of helping you to make it secure. For example,
- If an adversary can create a node, then it will automatically get a certificate. From that point the counterfeit node will be trusted by all the other nodes in the cluster.
- If an adversary starts poking around the “secrets” data type it can unearth the certificate authority’s root key and then impersonate the CA – issuing false but trusted certificates to other nodes.
The right approach to Kubernetes security is to use an external certificate authority that uses proper hardware security and policy enforcement. It’s a small extra step, but it’s vital to ensuring you’re actually in control of your systems.
Velocity is great—failing to secure your systems because your team doesn’t know all the details of the new tools is not. SecureG can help ensure that your virtual device identities—like the nodes in Kubernetes—are done on a solid foundation. Contact us for more information.
The chip shortage that began in 2020 had a significant impact on many industries in the United States. One noticeable effect was the empty dealership lots, as the shortage affected the production and distribution of vehicles.
However, the Biden administration’s CHIPS and Science Act has aimed to address the chip shortage by investing over $200 billion in American research, development, and supply chains. As a result, opportunities have increased for suppliers and contractors.
Taiwan Semiconductor Manufacturing Company (TSMC) is also making efforts to address the chip shortage. The company recently announced plans to invest $40 billion in chipmaking in Arizona, making it the largest foreign investment in the state. President Biden visited the Phoenix manufacturing plant and emphasized the importance of building strong supply chains for the global economy.
At SecureG, we believe in the importance of ensuring security for U.S. critical infrastructure, particularly in the rapidly-evolving tech industry. That’s why we develop innovative PKI technology to authenticate chips, devices, and systems from the silicon up. Our solutions enable secure provisioning, management, and security updates, allowing for sophisticated control and security policies that enhance reliability and resilience for critical infrastructure applications.
At SecureG, we are committed to protecting the innovations made possible by industry investment and government efforts to restore the chip industry. Contact us to learn more about how we can help.
With the proliferation of IoT devices, it is important that IoT designers build more basic security into devices before putting them into customers’ hands.
Where do you start?
The first and most essential step in this process is to build a trustworthy identity into the device at the time of manufacture.
What’s the advantage for customers?
Digital identity in the IoT device allows makers, users, and owners to control them better – including doing safe firmware upgrades in the field.
What’s the advantage for IoT OEMs?
Putting digital certificates in is the first step in delivering ongoing value to the end user – and this enables a subscription revenue model instead of just a one-time sale.
How does SecureG technology, products, and services fit into this goal?
SecureG’s technology builds a trustworthy identity into IoT devices at the time of manufacture and continuously rechecks this identity throughout its life cycle.
The challenge our next-generation networks face is the speed at which devices are trying to operate without the infrastructure required to securely make this happen. SecureG makes sure the authentication for communications networks, power grids, and critical infrastructure is secure first, so that down the line the devices within these networks can be trusted.
How do I secure my next IoT line?
Whether it be manufacturing, integration, or deployment, SecureG’s technology works in every stage when you need to make sure devices are who they say they are. Contact us today.
