VSHN.timer #22: Cloud Security

Welcome to another VSHN.timer! Every Monday, 5 links related to Kubernetes, OpenShift, CI / CD, and DevOps; all stuff coming out of our own chat system, making us think, laugh, or simply work better.

This week we are going to talk about Cloud Security, its many facets and threats, and how smart teams can mitigate them.

1. Last October Google announced new features to control the security of applications deployed in the Google Kubernetes Engine (GKE). First, application-layer Secrets encryption, to protect Kubernetes Secrets with envelope encryption. Second, customer-managed encryption keys (CMEK) for the encryption of GKE persistent disks. Following the recent availability of a Zurich region of Google Cloud (just like Azure does) and the recent concerns in Switzerland about the use of USA-based cloud services, this clearly will be of interest for the local market.

https://cloud.google.com/blog/products/containers-kubernetes/exploring-container-security-use-your-own-keys-to-protect-your-data-on-gke

2. Encryption is only a small part of a security strategy. And keys, as useful as they are, require management, storage, distribution, and lots of attention. Cloudflare recently reminded us that public keys are not enough for SSH security, and that we should we using Cloudflare Access instead, replacing SSH keys with short-lived certificates.

https://blog.cloudflare.com/public-keys-are-not-enough-for-ssh-security/

3. Two recent security-related research papers have caught our attention. First, this presentation in the 27th Usenix Security Symposium (2018) about attacking certificate authorities with Border Gateway Protocol (BGP). And second, this presentation about BPFs (Berkeley Packet Filters) touted as a „new type of software,“ and which might as well become a „next frontier“ in security. BPFs are a radical change in the venerable, 40 year-old Unix operating system architecture, opening new possibilities, for example in the field of attack monitoring and prevention.

http://www.brendangregg.com/blog/2019-12-02/bpf-a-new-type-of-software.html

4. Security is hard. Atlassian (re-)discovered this as the SwiftOnSecurity Twitter account inadvertently disclosed a security vulnerability in Confluence last week. Atlassian provided a domain that resolved to a local server with a common SSL certificate for its Confluence cloud service, but anyone could copy that key and use it for a man-in-the-middle attack, allowing an attacker to redirect traffic to a malicious site.

https://www.theregister.co.uk/2019/12/05/atlassian_zero_day_bug/

5. Finally, the tool of the week is Octarine. Going beyond container scanning, Octarine offers threat detection and blocking, and app segmentation scaling, using a sidecar model that allows for compliance checks and automation of security tasks.

https://www.octarinesec.com/

How do you manage the security of your cloud infrastructure? Have you developed and open sourced any security-related tools? Get in touch with us through the form at the bottom of this page, and see you next week for another edition of VSHN.timer.