Kubernetes Gets a Runtime Security Tool
As more enterprise users deploy Kubernetes as their preferred container orchestrator, momentum is building to lock down security on vulnerable hybrid cloud deployments.
The latest step comes in the form of a runtime security tool dubbed Falco accepted this week by the Cloud Native Computing Foundation (CNCF) as a hosted development project. The group said Monday (Jan. 6) the open-source runtime security framework originally created by cloud security specialist Sysdig has transitioned to incubator status as Kubernetes production deployments scale.
Sysdig noted Falco is the first and, so far, only runtime security technology sponsored by CNCF.
Falco detects and alerts Kubernetes users to unexpected runtime behavior, with the goal of reducing security risks. Those risks include exploits unleashed by unpatched or unknown vulnerabilities, faulty configurations, weak credentials or insider threats.
For example, a security vulnerability that surfaced last summer within the Kubernetes server API allowed intruders to modify computing and storage resources.
Falco also seeks to address the tradeoff between providing developers with easy access to cloud-native infrastructure and the need for controls to detect unexpected runtime incidents. “Access control and policy enforcement are important prevention techniques, but runtime security is needed to detect threats that evade preventions,” said Kris Nova, Sysdig’s chief open source advocate.
Since joining CNCF as a “sandbox” project in October 2018, the project has added a governance model that establishes standards for contributors. Early contributors to Falco include Frame.io, Shopify, Snap and Booz Allen Hamilton (NYSE: BAH).
Along with availability on the Google marketplace (NASDAQ: GOOGL), Falco also has been included in the launch of cloud projects such as AWS Firelens and Google Anthos. The latter combines Kubernetes, the Istio service mesh and related open-source components into a framework aimed at achieving interoperability between the Google cloud and on-premise infrastructure.
Falco and other open source tools respond to growing enterprise demand for secure DevOps platforms as Kubernetes deployments scale. For example, a container usage survey released by Sysdig in October 2019 found that the average number of containers hosted on a single node has jumped from 10 in 2017 to 30 in 2019.
Meanwhile, the maximum per-node density was 250 containers, a 38 percent increase over 2018.
As container images are pulled from public sources such as Docker Hub, image scans are used to identify known vulnerabilities. Over half of those images contain known vulnerabilities, Sysdig reported.
Hence, greater emphasis is being placed in runtime security threats.
“Runtime security for Kubernetes is something organizations are just starting to address,” the company said, noting a 252-percent increase in pulls of Falco from Docker Hub over the last year.
The top runtime security threats included seeking access to sensitive files, directories and volumes along with attempts to expand access privileges to breach security.