Is your financial data safe in the cloud?

  • Or Azarzar, Co-Founder and CTO at Lightspin

  • 20.04.2021 12:45 pm
  • #security

Digital disruption is forcing banks to become agile digital enterprises.   Kubernetes is a key to enabling banks to deliver innovative products, services, and customer experiences at speed and scale.  However, along with rapid growth, Kubernetes has already experienced a fair share of cyberattacks, six major ones last year alone, (CVE-2020-14386CVE-2020-2121, CVE-2020-8558, CVE-2020-8559CVE-2020-10749CVE-2020-8557 ). 

There are several reasons why hackers are targeting Kubernetes.  Its containers often include loose security settings, sometimes by default, which can be leveraged by hackers.  Loose permissions are often used for development purposes, but present an unacceptable level of risk when containers are put in a production.  Many IT teams are developing microservices that each require authentication and access control, opening a new attack surface. Microservices tend to be highly volatile, with the ability to move and pop in and out, making it hard to defend all their respective entry points from hackers.  DevOps teams that are measured by the speed of deployments, often race ahead introducing new functions or services that are unprotected.

From our experience there are some general rules that can reduce the risk of having sensitive data exposed to hackers. As Kubernetes is entirely API-driven, controlling and limiting who can access the cluster and what actions they are allowed to perform is the first line of defense. Make sure you lock down access to the Kubernetes API server. The ideal scenario is to expose the server to a VPC (virtual private cloud) network instead of the open Internet. 

Be aware that the Kubernetes default is that every pod can speak to all other pods with no security restrictions.  One rule of thumb is to grant the lowest level of operating system privilege necessary while constructing containers.  Allow each microservice only access to the resources it needs. This way, a vulnerability in one microservice will not expose the rest of your system to an attacker. 

Focus on finding a way to visualize all your assets.  Cloud environments are increasingly complex, and idle containers can become fertile ground for a hacker to move in and launch an attack.

The best strategy is to focus on the attack paths that threaten the most vulnerable and valuable assets.  Security systems that monitor traffic for anomalies can create an excessive number of alerts that take up valuable time.  But by focusing on the asset you want to protect and protecting the cloud from the inside out, you can focus only on the most urgent threats.

The race to innovate faster in our online digital economy is creating more attack surfaces that introduce a higher risk of data breaches.  Understanding each threat's context is the best way to assess priorities and take action to protect sensitive data and prevent data breaches.

 

Related Blogs

Other Blogs