Chap 10 - 01 - Understand Virt Essential Concepts and OS Virt Security - 08_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Virtualization and Cloud Computing Exam 212-82 Kubernetes Security Challenges and Threats 01 02 03 04 Explosion of eastwest traffic Increased attack surface Automating security to keep pace Too many containers 05 06 07 08 Communication between containers Default configuration settings Runtime security challenges Compliance issues Kubernetes Security Challenges and Threats Kubernetes enables an organization to automate application deployment, which leads to tremendous growth in business. However, these deployments are vulnerable to attacks and exploitation from adversaries. Thus, security is a critical component for all deployments of Kubernetes. Containerization in clouds can be targeted through attacks such as ransomware attacks, cryptomining, data stealing, and service disruption. The hyperdynamic nature of containers is responsible for the following Kubernetes security challenges. = Explosion of East-West Traffic: Since containers are dynamically deployed in multiple hosts or clouds, east-west traffic (traffic flow within a data center) and internal traffic should be monitored for attacks. * Increased which Attack Surface: can be exploited Every container by an adversary. has an attack surface and vulnerabilities, Further, container orchestration tools like Docker and Kubernetes also increase the attack surface of the container. = Automating Security to Keep Pace: Due to the dynamic nature and the constantly changing environment of the container, old models and security tools cannot provide complete protection. Therefore, there is a need to automate security for securing containers. * Too many containers: Containers communicate with each other and with internal and external endpoints for proper functioning. However, if a container is exploited, all the other connected containers in the environment can also be breached. = Communication between containers: Containers communicate with each other and with internal and external endpoints for proper functioning. However, if a container is exploited, all the other connected containers in the environment can also be breached. Module 10 Page 1279 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Virtualization and Cloud Computing = Default Exam 212-82 configuration application settings: development faster Using the and helps components in the Kubernetes environment. default in settings easy in Kubernetes communication with makes all the However, using the default settings can also make Kubernetes more vulnerable and less secure. * Runtime security challenges: The transient and fast nature of the container makes it difficult for an individual to monitor which container process is currently running. Hence, it also makes it more complex to detect any running malicious process. = Compliance issues: Kubernetes environment internal Organizations organizational adheres policies should follow the techniques to the security that were controls, devised for to ensure industry that the standards, conventional and application architectures. Module 10 Page 1280 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Virtualization and Cloud Computing Exam 212-82 Container Management Platforms L] [ L1 Docker is a container platform that helps in building, managing, and securing all the cke @ Docker applications and deploying them across cloud environments [ e : ] — AR i :‘-‘ E 1 = Sttty i e s ::»..‘.».'. i { == w. e - o o Pt - : Portainer https://www.portainer.io : i https://www.docker.com Red Hat OpenShift Container Platform https://www.openshift.com g ! e @ ! et s Microsoft Azure Container Instances (ACl) https://azure.microsoft.com i ' :""" ety 1 Amazon Elastic Container Service (ECS) https://aws.amazon.com 5 E o ol E : i [ e ¢ ] H ! Rancher https://roncher.com Copyright © by L All Rights Reserved. Reproductionis Strictly Prohibited Container Management Platforms Listed below are various container management platforms: * Docker Source: https://www.docker.com Docker is an independent container platform that helps in building, managing, and securing all applications, from traditional applications to the latest microservices, and deploying them across cloud environments. Docker contains the latest container content library and ecosystem with more than 100,000 container images, which allow developers to create and deploy applications. Docker also features core building blocks, such as Docker Desktop, Docker Engine, and Docker Hub, for easily sharing and managing application stacks. Module 10 Page 1281 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Virtualization and Cloud Computing & Docer BF & Docker (T Fiters Exam 212-82 ® conranen N Puges V2% of 1,908 514 avaladle maget Mott Poged = Oexier Cert®ed O. ¢ ¢ Oracle Databare Enterprine Edtion () cocaincinrun i - Dy Oracie » Lsaated o yoar ag0 Oracie Datatase 12¢ Interprite (@non Veetad Putiaher P Offtand Images O Ol rmapes Pt datad Py Donher Oracle fava & SE (Server JRE) (= cocnnn e "0 4 Cotegores O & Lo Analytcs By Oracia * Upatatnd o momah apo Oracie fova B 5L Server RO Aopatcn Framameni AGpicaticn Infrastructure Apphcaton Secvces Bave images. Oeteboose OevOps Tocds Mm’ Foutured vnges ML Server Interprise (tion (2 cocats (ntein By Oraca » Lydurns 3 morens age The works s most POpuULS Open LowrCe Eatabase yystem Mesiagng Servces Montoneeg Opwrating Systerms oy Security L Swrage s | [inria VERIUD Pt e e SETTT Oracie Webloge Server (2 oocain cinrain By Oeache c Updiuated & meemte ags Oracie Webloge Server Operanng Systeems Lrnan | omos a0 | Figure 10.14: Screenshot of Docker = = Amazon Elastic Container Service (ECS) (https://aws.amazon.com) Microsoft Azure Container Instances (ACl) (https.//azure.microsoft.com) = Red Hat OpenShift Container Platform (https://www.openshift.com) = Portainer (https://www.portainer.io) = Rancher (https://rancher.com) Module 10 Page 1282 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Virtualization and Cloud Computing Exam 212-82 Kubernetes Platforms L] Kubernetes kubernetes Q Pusitont Woiamas CPU usage nroen Canon i -~ | o= Ve syrem £ o Kubernetes is an open-source container orchestration engine for automating deployment, scaling, and management of containerized applications | Sewh + Memory usage S ——— coean : 2 Ama.z o Elnatic Knbantotes Service (EKS) https://aws.omazon.com Docker Kubernetes Service (DKS) o O =3 Knative https://cloud.google.com on IBM Cloud Kubernetes Service -. i i ! https://www.ibm.com Google Kubernetes Engine (GKE) https://cloud.google.com https//kubernetes.io Kubernetes Platforms Listed below are various Kubernetes platforms: = Kubernetes Source: https://kubernetes.io Kubernetes deployment, is an open-source container orchestration engine for automating scaling, and management of containerized applications. It also groups different containers that make up an application into several logical units for easy management and discovery. It allows users to take advantage of on-premises, hybrid, or cloud infrastructure to migrate workloads from one place to another. Kubernetes can also deploy and update secrets and application configurations without rebuilding the container images and without exposing secrets in the stack configuration. Module 10 Page 1283 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Virtualization and Cloud Computing + CRIATE Search Hw (LR H] " T Rurang 0 27 marres Ao Rurmeng ° 27 mewres Bunming [ 37 meres Rurng [ wroes [ Bavng [ 20 hours J === "m» | EERCRT 0 Ao o 0 a " | "W Q | EEREY % kubernetes | EESIT " Q [ R n j Exam 212-82 Figure 10.15: Screenshot of Kubernetes = Amazon Elastic Kubernetes Service (EKS) (https.//aws.amazon.com) = Docker Kubernetes Service (DKS) (https://www.docker.com) = Knative (https://cloud.google.com) = |BM Cloud Kubernetes Service (https://www.ibm.com) = Google Kubernetes Engine (GKE) (https.//cloud.google.com) Module 10 Page 1284 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.