New holes emerge as enterprises embrace containers
Increasingly, corporations are in the data business, they collect more of it, they rely on it to make key decisions, and it essentially drives the business. However, they are not good at protecting it. Why? Most data analytic applications are built on modern architectures, like containers and Kubernetes, and few organizations now have the expertise and storage solutions needed to safeguard such. Make no mistake, the criminals are coming after your information. In fact, it was predicted that cybercrime would inflict damages totaling $6 trillion USD globally in 2021, according to Cybersecurity Ventures.
An Insecure Foundation
Kubernetes was not built from the ground up to secure information. Instead, it was designed to maximize computer resources while minimizing the work needed to manage containers, which it does very well. But its infrastructure is often shared by multiple teams or divisions, which provides hackers with many possible entryways. Securing Kubernetes is a multi-pronged task, and a key element revolves around securing where information is housed: the corporate storage system.
Every organization tries to build a strong perimeter to thwart intruders, but most fail. Security best practices start with the acknowledgment that your systems have been compromised both inside and outside the perimeter. Once in, the bad guys try to worm their way to the top of the privilege list, so they have free reign and can spread their malware pervasively.
As a result, companies must treat their network, storage systems, servers, media, and even their system administrators as untrusted resources. In essence, data needs to be protected 24/7, from the moment it is generated, as it moves from place to place, and even as it sits at rest.
Or…maybe not. Maybe those companies are following the herd and practicing “common wisdom” from a decade ago out of habit.
Encryption is Needed End to End
The first, and most important, line of defense for your storage containers is end-to-end data encryption. Corporations require solutions that encrypt all data before it leaves the machine where it is generated, written, or read. Enterprises cannot count pennies when choosing their encryption options. Criminals do not scrimp on time or money: they work around the clock investing whatever is needed to break into your systems. So, you need top of the line encryption, AES-XTS 256, rather than older, less expensive, less effective approaches.
Organizations must also recognize that need more than data encryption with much of their information traveling across the Internet. protecting information Transport Layer Security (TLS) encrypts data in motion. However, the information is decrypted once it reaches its endpoint. So, you require an additional layer of security, such as for communication between your storage clients and servers.
Next, you must limit access to your storage systems. Traditional storage solutions, like Network File System (NFS), often rely on IP filters, which seemed like a good idea when they were introduced years ago. But today, this approach is a horrible idea because nodes are used by many users, none of whom you can trust.
Adding X.509 certificates and Access Keys puts another needed check in place, so you are sure that only authorized users and hosts talk to your storage system. With X.509 certificates, each component (clients and servers) authenticates and communicates with each other via a TLS handshake. Anyone without a valid certificate is rejected. So even if an attacker compromises the network, they won’t be able to access the data sitting in your storage system.
Close a Shared Storage Security Hole
Another potential problem arises when your nodes run with many users and different parts of your organization. A layer of protection on the node itself is needed. Traditionally, operating system and directory services established users and groups and granted them different levels of privileges. Unfortunately, containers do not offer similar functionality. The IDs connected to container I/O operations can be from anyone and do anything, thus opening up another potential hole for hackers to climb through.
Implementing S3 access keys on your file system ensures that only authorized users have access to storage functions on a node. No overhead is created. Users rely on the same credentials for S3 as those to access their persistent volumes. Each persistent volume claim served by a Quobyte’s Container Storage Interface (CSI) plugin includes the user’s Access Key and Secret Key. Based on these credentials, the system ensures that only authorized individuals access the volume.
Quobyte goes even further and automatically maps all storage IO from the container onto the user’s user or group ID for the file system. This step makes file system access control usable in container contexts. The end result is your Access Control Lists control data sharing among different users, groups, and units in your organization.