Sponsored In the first article of our four-part series on Kubernetes in the enterprise, we outlined the data services that underpin a properly constructed Kubernetes container environment. Data security, data governance, data resilience, and data discovery are the pillars that support the evolution of Kubernetes from raw storage, either persistent or ephemeral, to true data services that are suitable for deployment in enterprises.
In this and subsequent articles we will drill down to those specific data services. Here, we cover data security and data governance together because they are in some ways two sides of the same coin. You can think of security as a layer in data governance or data governance as a higher-level kind of security.
With containers flitting about a cluster of machines, spawning chunks of microservices code and demanding access to data, it is vital to secure data at the storage layer underneath Kubernetes and from within the Kubernetes platform itself.
Data security is a hot issue right now, particularly when you think about cyber resilience and the ability to withstand attacks on your infrastructure and more importantly on your data, says Pete Brey, Director of Big Data Marketing at Red Hat.
The fact of the matter is that there are a lot of cybercriminals that are trying to get access to customer data and other confidential information, and the first line of defense is encryption. Thankfully, in the last ten years, encryption has come a long way. Some of that is because we have more advanced processors that can quickly encrypt data on the fly without a measurable performance penalty. Several years ago, performance was a big issue for the industry and a lot of data was not encrypted when it should have been. But it's no longer an issue.
As with other application and systems software, encryption in a Kubernetes environment typically involves encrypting data in flight as it moves around as well as at rest on physical storage such as disk drives and flash devices or even public cloud storage. Increasingly, even main memory is being encrypted, too, with the assistance of CPUs from Intel, AMD, and others, and some CPUs now have ways of managing security encryption keys that are out of reach of hackers.
These encryption and decryption functions that are vital for all software are being handled by processors, which now have specialized cryptographic accelerators on them. This means companies no longer have to spend thousands of dollars to put auxiliary cryptographic co-processors out on the PCI-Express bus of a server. It also means they do not have to take the latency hit in their applications and systems software as data comes into a CPU, is passed off to the accelerator for either encryption or decryption, and then pulled up into memory for processing or pushed down to storage for safe keeping.
This native, wire-speed encryption and decryption has been transformative for security within the datacenter. And as encryption has become commoditized, it has become pervasive.
The Secure Sockets Layer (SSL) protocol, and its follow-on, the Transport Layer Security (TLS) protocol have become central to data security. Using public key cryptography, TLS authenticates the identity of participants that share data over Internet protocols and secures data passing with symmetric key cryptography where the keys are uniquely generated for each connection between applications on distinct machines. The idea is to have unique keys that are also long and complex, thus ensuring that they are difficult to crack or hack.
Many applications need to handle sensitive information, and Kubernetes is no different. The container management platform has a construct called a Secret, which allows for sensitive data related to containers and their pods to be stored and managed from within Kubernetes. Having this information abstracted away and secured independently is both more safe and more flexible than embedding it in a container image or a pod definition. Secrets are used not just for encryption keys, but also for OAuth tokens, SSH keys, passwords, and other sensitive information. The data is encrypted at rest within the Secrets system and can have role-based access control (RBAC) turned on to restrict the reading and writing of the secret data.
Everything in the enterprise that applies to security and governance applies to Kubernetes
The good news for organizations is that there are ways to hook the Kubernetes platform into the existing security and governance frame. Everything in the enterprise that applies to security and governance applies to Kubernetes, says Brey. All of the concepts still apply key management, to take one example and you dont have to buy a lot of extra stuff. A lot of this is already put into our OpenShift Kubernetes platform, for instance. Red Hat Enterprise Linux has cryptographic modules, which are used by OpenShift, Ansible, Ceph, and other parts of the Red Hat stack.
Data governance cannot be an afterthought, and just because we are talking about it second in this story does not mean it plays second fiddle to data security. Security without governance is not really security, and governance without security is not really governance at all. If you are letting someone unlock data, you have to make sure you know who they are both as the data is being unlocked and after the fact when you might be needing to comb through an audit trail using logs to try to find a hacker.
Security without governance is not really security, and governance without security is not really governance at all
Given this natural dependency, a lot of people conflate security measures as a kind of sufficient governance. Actually, security and governance are pretty different, explains Brey. Security has more to do with the technical controls that are in place around physical data. Governance is a higher-level issue, which encompasses security, but also includes procedures and protocols for who can access data and how.
In many industries, the immutability of data is a kind of security, too, which is not the same thing as encrypting it or watching access to it like a hawk. This write once, read many times, or WORM, storage is integral to specific industries, such as the financial services and healthcare fields, which allows for the data to be immutable for specific amounts of time, often on transactional or object storage. The auditing and logging functions as well as the immutable data functions required here and probably useful across many industries are included with OpenShift Data Platform, Ceph object storage, and other systems software. All you have to do is turn it on.
Sponsored by Red Hat.
View original post here:
Container security without governance is neither secure nor governed - The Register
- WhatsApp to bring in encryption for backup chats after privacy fears - The Guardian - October 15th, 2021
- WhatsApp end-to-end encrypted backups are rolling out on both Android and iOS - GSMArena.com news - GSMArena.com - October 15th, 2021
- Encryption: Why security threats coast under the radar - Philstar.com - October 15th, 2021
- Encryption Management Solutions Market 2021 : Industry Analysis ,Size, Share, Revenue, Prominent Players, Developing Technologies, Tendencies and... - October 15th, 2021
- TLS Support Redis - October 12th, 2021
- Signal >> Documentation - October 12th, 2021
- Encryption Consulting announces their first-ever virtual conference - "Encryption Consulting Virtual conference 2021." - Tyler Morning... - October 12th, 2021
- [Update: Rolling out] WhatsApp adds end-to-end encryption for Android cloud backups - 9to5Google - October 12th, 2021
- Homomorphic Encryption Market New Coming Industry to Witness Great Growth Opportunities in Coming Years From 2021 to 2027: Microsoft (US), IBM... - October 12th, 2021
- SmartKargo Incorporates EDIfly Advanced Aviation Messaging At No Cost for Customers of its E-Commerce Logistics Solution - Yahoo Finance - October 12th, 2021
- No outages, no data leaks: The new WhatsApp killer built on the blockchain creates privacy-focused encrypted messenger - Cointelegraph - October 12th, 2021
- Mosyle's $ 16M Series A Drives Growth by Launching the Mosyle Business with the Market's First Encrypted DNS Filtering and Security Solution -... - October 6th, 2021
- Tips to Secure and Encrypt your WIFI Network Security - H2S Media - October 6th, 2021
- Data Encryption Standard (DES)? - All You Need to Know | Techfunnel - TechFunnel - October 4th, 2021
- XSOC CORP Recognized by CyberSecurity Breakthrough Awards Program for Overall Encryption Solution of the Year - Business Wire - October 4th, 2021
- Encryption: Why security threats coast under the radar - Express Computer - October 4th, 2021
- Hardware Encryption Devices Market 2021 Technology Development, Key Manufacturers, Forecast Based on Major Drivers and Trends Up to 2027 - Digital... - October 4th, 2021
- Sectigo Certificate Manager Wins 2021 CyberSecurity Breakthrough Award for Overall Encryption Solution Provider of the Year - PRNewswire - October 4th, 2021
- Customs and Border Protection Signs Major Contract With Amazon-Owned Encrypted Chat App Wickr - Gizmodo - October 4th, 2021
- Encryption cant be used as excuse to deny sharing details to law enforcement: Govt - The Financial Express - October 4th, 2021
- Facebook announces WhatsApp end-to-end encrypted (E2EE) backups - Techiexpert.com - TechiExpert.com - October 4th, 2021
- Bluefin Issues New Payment Security Brief on PCI-validated P2PE for Petroleum and Convenience Stores - PR Web - October 4th, 2021
- Get a lifetime of easy, automatic encryption for all of the files on your computer for just $30 - ZDNet - September 24th, 2021
- Tide encryption is ready to end the cyber breach pandemic - TechCrunch - September 24th, 2021
- The FBI has kept the presence of the encryption key secret from Casey for three weeks. - Cheraw Chronicle - September 24th, 2021
- Braves non-tracking, browser-based video conferencing tool is out of beta - TechCrunch - September 24th, 2021
- 5 ways to stay ahead of government-targeted ransomware - GCN.com - September 24th, 2021
- Encryption Software Market expectation surges with rising demand and changing trends by industry analysis through 2026 Stillwater Current -... - September 24th, 2021
- What Is a Hardware Security Module? HSMs Explained - Hashed Out by The SSL Store - September 24th, 2021
- Making the Most from WEP - Wi-FiPlanet.com - Wi-Fi Planet - September 24th, 2021
- Brave, the startup behind untracked browser-based video conferencing tool is out of beta - Security News - BollyInside - September 24th, 2021
- Hardware Encryption Devices Market Is Expected To Witness Healthy Growth At A CAGR Of More Than 40% - Herefordshire Live - Herefordshire Live - September 24th, 2021
- WhatsApp launches encryption in iCloud and Google Drive backups - InTallaght - September 24th, 2021
- WhatsApp boosts end-to-end encryption - BusinessTech - September 17th, 2021
- WhatsApp to offer encryption on cloud backups: Heres all you need to know - India Today - September 17th, 2021
- London's Top Cop Says 'Big Tech,' Encryption Are Letting The Terrorists Win - Techdirt - September 17th, 2021
- Zoom unveils new security features including end-to-end encryption for Zoom Phone, verified identities and... - ZDNet - September 15th, 2021
- Insights on the Hardware Encryption Global Market to 2026 - by Algorithm & Standard, Architecture, Product, Application and Region - PRNewswire - September 15th, 2021
- Light Start: WhatsApp rolls out backup encryption, LG is more attractive, Google goes dark and iPhones only laak gud vaabs Stuff - Stuff Magazines - September 15th, 2021
- Revenant REvil. WhatsApp offers encryption. Hortum spyware in Turkey. Update on the UN data breach. Healthcare breaches disclosed. - The CyberWire - September 15th, 2021
- How a glitch in the Matrix led to apps potentially exposing encrypted chats - The Register - September 15th, 2021
- Secure cloud storage: which are the most secure providers? - ITProPortal - September 15th, 2021
- WhatsApp is finally allowing users to encrypt chat backups uploaded to iCloud and Google Drive - Buzz.ie - September 15th, 2021
- WhatsApp is adding encrypted backups - The Verge - September 11th, 2021
- What Is Fully Homomorphic Encryption (FHE)? - CIO Insight - September 11th, 2021
- WhatsApp end-to-end encrypted messages arent that private after all - Ars Technica - September 11th, 2021
- UK government backs Apple, and wants to scan encrypted messages for CSAM - 9to5Mac - September 11th, 2021
- VPN and Email Encryption Provider, WiTopia, Inc., Is Now Raising Capital Via StartEngine - PRNewswire - September 11th, 2021
- Future in the cloud for encryption - Capacity Media - September 8th, 2021
- WhatsApps Claims Of End-To-End Encryption Might Be Entirely True - Ubergizmo - September 8th, 2021
- Debunking Wi-Fi Security Myths: Wi-Fi Encryption Is Weak - TechSpective - September 8th, 2021
- WhatsApp Flaw Casts Doubt on End-to-End Encryption - Security Boulevard - September 8th, 2021
- Bluefin Receives U.S. Patent on Systems for Vaultless Tokenization and Encryption - WFMZ Allentown - September 8th, 2021
- Priti Patel backs ad campaign that criticises Facebook's stance on end-to-end encryption - Graham Cluley Security News - September 8th, 2021
- EXCLUSIVE: What's in the new zero-trust strategy - Politico - September 8th, 2021
- 3 ways to protect yourself from cyberattacks in the midst of an IT security skill shortage - Help Net Security - September 8th, 2021
- Apple Has Betrayed Its Privacy Legacy and Will Undermine End-to-end Encryption Everywhere - Privacy News Online - September 8th, 2021
- IBM's first 7nm Power10 chip arrives in E1080 server system with a wealth of shiny features - The Register - September 8th, 2021
- The adoption of multi-cloud drives the need for better data protection and management of encryption keys an... - Security Boulevard - August 26th, 2021
- Cryptomator Vs. BoxCryptor: Which One Is The Best Encryption Software? - Analytics Insight - August 26th, 2021
- Why you should encrypt your data on your computer and how to do it - The Star Online - August 26th, 2021
- Video end-to-end encryption on Ring to be available worldwide - ITP.net - August 26th, 2021
- What is a Vocoder? How an audio encryption device used in WW2 became the sound of electro and modern pop - Mixdown - August 26th, 2021
- Privacera partners with StreamSets to strengthen data security for ETL processing in the cloud - Help Net Security - August 26th, 2021
- R400m cocaine-in-a-boat accused used encryption app to communicate - TimesLIVE - August 26th, 2021
- Evervaults encryption as a service is now open access - TechCrunch - August 24th, 2021
- How to Encrypt Your Own Windows and Mac Devices (and Why You Need To) - Lifehacker - August 24th, 2021
- Why encryption is the key to digital fitness, according to Thales - iTnews - August 24th, 2021
- How to check each of your WhatsApp chats are ACTUALLY private right now and not being intercepted by h... - The Sun - August 24th, 2021
- WebCam: How Australia paved the way for Apple's encryption backflip - Crikey - August 24th, 2021
- Staggering 400% rise in child sexual abuse images detected by Facebook as fears over encryption plans g... - The Sun - August 24th, 2021
- Hardware-based Full Disk Encryption Market 2021 and Analysis to 2027 Micron Technology Inc, Seagate Technology PLC, Toshiba, Intel - The Market... - August 24th, 2021
- WhatsApp could soon have an iPad app for the first time - Engadget - August 24th, 2021
- Facebook is bringing end-to-end encryption to Messenger calls and Instagram DMs - TechCrunch - August 14th, 2021
- Apple opens the encryption Pandora's box - Axios - August 14th, 2021
- How to encrypt your computer (and why you should) - Mashable - August 14th, 2021
- Protects User Privacy With Encryption and Authentication - Security Magazine - August 14th, 2021
- An Overview of Blockchain in Supply Chain: Whats the Link? - JD Supra - August 14th, 2021
- Facebook introduces end-to-end encryption for its voice & video call features - Techstory - August 14th, 2021
- Hardware Encryption Devices Market Research Report 2021 Elaborate Analysis With Growth Forecast To 2027 Intel, Toshiba, Micron Technology Inc,... - August 14th, 2021