Kubernetes may be very popular as a development and deployment environment, but it is not exactly ‘perfect’. One of the components that developers need to pay particular attention to when using Kubernetes in a Continuous Integration/Continuous Delivery (CI/CD) workflow is security. The environment needs to be configured for security from the beginning with the use of outside tools like Twistlock.
Fortunately, there is no shortage of tools for managing cloud security, specifically for managing security in Kubernetes. A cloud-native security suite is ideal, and that is why we are going to take a look at Twistlock in this article.
Recognizing the Challenges
There are some essential elements to good container security, starting with meticulous access control. You always have to use least-privilege access control approach when configuring pods and services. By limiting pods to only the essential privileges they need to run correctly, you are minimizing your cloud environment’s attack surface substantially.
Of course, you also have to tackle pod-to-pod communications. This is the next challenge to tackle due to the nature of Kubernetes itself. Since pods are crucial building blocks in a bigger ecosystem, preventing an attack on one pod from spreading to (or affecting) the others is essential. At the very least, you have to enforce the use of authentication in pod-to-pod communications.
These challenges are only the beginning since they affect you mostly on the environment level. You also have to make sure that your entire Kubernetes environment runs on a secure set of hosts. Kubernetes is hardware agnostic so it will not detect if the servers assigned to it are insecure. It is up to you to provide Kubernetes with a safe infrastructure.
Lastly, we have the security of the apps themselves. Your container gets executed as part of a continuous process, so you have to make sure that the runtime is capable of running without harming the rest of the environment. Adding container runtime defense as additional layers of security for your apps – and the containers themselves – won’t hurt.
This includes checking (and double-checking) the codes you run in the containers. An error that doesn’t get handled properly or a malicious code that somehow got into your container image can trigger a catastrophic event that may cripple the entire environment.
Twistlock: A Solution for Every Challenge
This is where Twistlock becomes an incredibly worthy security suite to consider. It actually comes with an extensive array of tools designed to make securing any cloud environment, including single server instances, easy. It works with AWS or Kubernetes running in AWS just as seamlessly, so you know that it is a tool that you can use.
Twistlock is—in simple terms—a full stack security suite. It handles everything from A to Z, including automated forensics, securing your host, scanning for pods vulnerabilities, and providing additional layers of protection in the form of firewalls and compliance checks. The six tools that stand out among the many that Twistlock now provides are:
- Runtime Defense: Through automation, routine evaluations, and machine learning, Twistlock can identify potential issues with your container runtime. It can even recommend solutions and changes to make, all in an automated way.
- Cloud-Native Firewalls: Firewalls are still necessary no matter how secure your system is; you can never be too careful with services running in the cloud. Adding network security that is designed from the ground up for cloud applications is indeed a huge plus. Twistlock supports a cloud-native Application Firewall (a web application firewall designed for hosts and containers which secures web apps by inspecting and filtering layer 7 traffic to and from the app) and also a cloud-native Network Firewall (a Layer 3 container-aware virtual firewall that utilizes machine learning to identify valid traffic flows between app components, and alert or block anomalous flows).
- CI/CD Integration: Since Twistlock has its own evaluation and automation tools, it can be used as part of an agile CI/CD Workflow. While new services and updates are deployed, Twistlock will do its job of securing the entire cloud environment all over again. Twistlock also provides a Jenkins plugin to incorporate vulnerability and compliance scanning into the build phase. The build can pass or fail depending on the type of vulnerabilities and compliance issues found. For CI tools other than Jenkins, we can achieve the same results by using the Twistlock CLI or API.
- Advanced Access Control: Twistlock can even scan your pods and make sure that the minimum required privileges are the only ones assigned. This is a tedious process when done manually, but the security suite makes it look very easy.
- Vulnerability Testing: In addition, we have Twistlock’s ability to mount prevention tactics by reporting vulnerabilities for host, images and containers. The tool goes well beyond container scanning for vulnerabilities by also providing segmentation, IPS, and cloud-native capabilities. It provides nice dashboards, and list filtering capabilities. It’s also possible to export the findings to CSV which can then be imported to other platforms if needed. Rather than being on the defensive all the time, you can use Twistlock to do vulnerability testing and reinforce your cloud with security measures that will prevent attacks.
- Leverage Compliance: Companies have to continuously ensure that they are compliant with external requirements like HIPAA, PCI, and GDPR. Twistlock compliance management system helps to enforce standard configurations and security best practices so it’s possible to achieve container compliance for any of these standards.
Cloud security management isn’t easy, but Twistlock offers a set of tools that make the whole process more manageable. This is one of the reasons why users love this security suite so much.
Drawbacks to Consider
For those with simpler security requirements, Twistlock’s give-you-everything approach can potentially be a bit overwhelming. However, configuring the tool and integrating container repos is a breeze.
Also, the cloud-native App and Network firewalls don’t support much granularity in their configurations. However, Twistlock is improving the product based on customer feedback so we expect to see this feature implemented soon.
Despite these very minor drawbacks, however, it is interesting to see a security suite using the same cloud-native, scalable, and automated approach to cloud security as we do with cloud apps. At Caylent, we certainly won’t be surprised to see Twistlock usage continue to grow and scale rapidly. In addition, as a Twistlock partner, we can help you leverage the best of the cloud-native solution for your business-critical workloads. Contact us today to support Twistlock implementation and instrumentation.
For more on enhancing security in Kubernetes, check out our post on Intrusion Protection with Kubernetes.
Caylent provides a critical DevOps-as-a-Service function to high growth companies looking for expert support with Kubernetes, cloud security, cloud infrastructure, and CI/CD pipelines. Our managed and consulting services are a more cost-effective option than hiring in-house, and we scale as your team and company grow. Check out some of the use cases, learn how we work with clients, and read more about our DevOps-as-a-Service offering.