GlobalSign Blog

Automation: The Right Way to Use Digital Certificates with Your Containers

Automation: The Right Way to Use Digital Certificates with Your Containers

Many organizations are in the process of integrating or have already introduced containers into their IT infrastructure. Containers are beneficial in that they’re a type of technology that includes everything needed to run an application including its runtime dependencies. This characteristic renders a container repeatable across different cloud and OS environments; the inclusion of dependencies means that a container will run the same regardless of the host infrastructure.

That’s not the only benefit of containers. According to NetApp, containers require less overhead than virtual machines and other traditional IT assets because they don’t contain OS images. They also improve the agility of the organization to keep up with its evolving business needs due to the fact that they allow applications to be deployed, patched, and scaled more quickly.

Overtime, containers could become so numerous that DevOps team members can’t monitor them on their own. That’s where Kubernetes comes in. As explained on its website, Kubernetes functions as a platform through which organizations can manage their containers. This orchestration service helps to distribute network traffic so that a deployment remains stable, thereby ensuring service uptime. It also restarts containers that fail as well as kills containers that don’t respond to a health check defined by the organization.

Concerns Over Complexity

Notwithstanding the benefits elucidated above, containers and Kubernetes do add to the complexity or an organization’s network. Such complexity can give rise to security challenges.

Take containers, for example. As StackRox explains, an influx of containers increases the number of cloud-native infrastructure components over which security teams must maintain visibility. This complicates the process of consistently implementing fundamental security measures such as vulnerability scanning and secure configuration management. More containers mean more blind spots that an attacker could potentially exploit. 

Depending on how broadly containers can communicate with other containers and pods, a malicious actor could abuse those weaknesses to move laterally throughout the container environment and compromise certain containers with malicious code. That’s a problem. Without proper oversight, that malware could make its way into a container image along with other code, binaries, and libraries. Users who pull down that image from a repository could then inadvertently infect themselves with that code.

Kubernetes is designed to speed up application deployment and simplify operations. Since the platform facilitates this speed and ease with a set of network policies that allow all pods to communicate with one another by default, this can make it even easier for an attacker to compromise a pod and launch into the attack chain described above.

The Importance of Knowing What to Trust

The security challenges discussed in the previous section highlight the need for organizations to know what to trust. A key part of establishing this trust is using digital certificates.

Venafi specifically argues that organizations can best secure their containers and Kubernetes environments by using digital certificates as machine identities. Even so, organizations can’t take a manual approach to certificate lifecycle management with containers and Kubernetes. The constant need to create, configure, and deploy X.509 certificates in an effort to keep up with the organization’s evolving container needs could slow the organization’s software development process down. They could be waiting for days to get a certificate. This is problematic insofar as many containers don’t even remain up for that long.

In response, DevOps teams could elect to circumvent security processes to stay on task with their development goals. As noted by DZone:

“DevOps teams often end up trying to engineer their way around the problem, in some cases using untrusted or unauthorized certificates…. In other cases, DevOps teams don’t use certificates at all. Both approaches make it challenging to identify and mitigate threats in a timely manner. Without HTTPS encryption, data may be exposed to attackers.”

Addressing the Challenges of Certificates for Containers and Kubernetes

Organizations can address the challenges above by incorporating automation into their deployment of X.509 certificates. Per DZone, automation helps to modernize the DevOps process. It effectively transitions DevOps into DevSecOps by embedding security into the software development lifecycle. It does this by bringing security and PKI teams into the fold and having them responsible for digital certificates rather than forcing DevOps personnel to take the lead. As such, security and PKI personnel can make sure that all certificates are standardized in order to comply with regulations and the organization’s security policies.

When it comes to automation, organizations need to make sure that their Kubernetes environment integrates with an automated system for issuing certificates. They can do this by using the Jetstack certificate manager to automate certificate life cycles for Kubernetes clusters. 

For step-by-step instructions on how to implement this form of automation for your organization’s certificate management needs, click here.
 

Share this Post