Enabling enterprise-grade Kubernetes security for a Fortune 100 credit card company

No matter what business you are in, cloud migration can be a daContainers and microservices are driving enterprise IT innovation and digital transformation across industries. Companies are embracing container technologies like Kubernetes to realize greater flexibility, scalability, and speed across application development and deployment processes. Yet, for many enterprises, security remains one of the biggest concerns for kick-starting containerization initiatives.

This blog focuses on how we helped a Fortune 100 credit card company secure their Kubernetes clusters and effectively monitor security practices leveraging automation. The customer was looking to move their enterprise solution for risk and compliance to Kubernetes to meet expanding business needs. Here are some highlights of the security practices we implemented as part of this project:

Used an internal, private registry for container images

As hackers often prey on image vulnerabilities, using trustworthy registries (private, wherever possible) for container images is crucial. We helped the client set up an internal private registry for storing approved images. Any external images had to be downloaded using reverse proxies, validated, scanned, and pushed into the local repository. Their Kubernetes Admin team had permission to upload these to the internal repository after extensive security and compliance checks.

Integrated vulnerability scanning tools with the code build process

For continuous scanning of images and code, we integrated tools like Black Duck and WhiteHat with the code build process. This ensured that unsecured code was not included in any image. In addition, we performed image scanning leveraging Clair, an open-source tool that can be easily deployed in Kubernetes and integrated directly with the container registry.

Isolated environments using namespaces and role-based access control

To isolate environments for different teams and users, we leveraged Kubernetes namespaces. We also applied Kubernetes role-based access control (RBAC) on a per-namespace level, restricting the access to each Kubernetes service to specific users based on business needs. We also leveraged the Cluster Admin role to restrict cluster level access. Additionally, to streamline RBAC management and prohibit access by any unauthorized users, we periodically removed all unused/inactive roles.

Secured all Kubernetes components

The location of an enterprise’s database plays a critical role during application migration. If your database To secure all Kubernetes components, we enabled and configured Kubernetes RBAC and limited the number of users and service accounts accessing the API server. All traffic between the API server and other infrastructure components, like etcd and kubelet, were served over HTTPS (Transport Layer Security) and all communication was protected leveraging TLS encryption. The API server did not serve any requests on unsecure ports, and all server audit logs were collected and retained. To limit damage in the event of an attack, we locked down the ownership and permissions needed to access critical configuration and PKI files on the master node. In addition, we configured the kubelet config file to prevent the kubelet server from serving any anonymous/unauthenticated requests.

Leveraged egress policies and controllers for secure networking

To securely route network traffic to internal Kubernetes services, we used Nginx as a load balancer and network gateway for managing inbound and outbound connections. Nginx also served as a frontend proxy to limit the exposure of these services to end users.

Developed an automated solution for continuous monitoring

We developed an automated solution to continuously monitor Kubernetes’ security practices across multiple clusters with minimal effort. A high-level blueprint of the solution is given below:

High-level overview of the automated solution for continuous monitoring

This approach helped us create a robust migration plan backed by effective disaster management and sThis helped us periodically run the security benchmark in an automated manner and promptly identify any misconfigurations/incorrect practices. We also leveraged a security dashboard to perform security audits at the beginning of the project. A sample snapshot is given below:

Kubernetes security dashboard

Additionally, we stored Kubernetes events in the ELK Stack and generated insights on the dashboard. This helped proactively monitor any suspicious events and generate alerts.

Our integrated approach helped the credit card company improve their security posture by identifying security threats and misconfigurations across multiple clusters in real-time leveraging automation. This eliminated the need for manual monitoring, which would have involved massive time and effort. What’s more, the security dashboard provided a single, consolidated view of all critical security tests, enabling 360-degree visibility across clusters. The automated scanning utility provided daily updates on cluster stats, allowing the client’s Admin team to focus on other strategic tasks. Most importantly, the client was able to run their applications on secure, stable, resilient clusters.

Cookie	Duration	Description
__cf_bm	1 day	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
_grecaptcha	1 day	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
_GRECAPTCHA	179 days	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
CONSENT	2 years	Used to detect if the visitor has accepted the marketing category in the cookie banner. This cookie is necessary for GDPR-compliance of the website.
li_gc	179 days	Stores the user's cookie consent state for the current domain.
pa_enabled	1 day	Determines the device used to access the website. Th is allows the website to be formatted accordingly.
rc::a	1 day	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
rc::b	1 day	This cookie is used to distinguish between humans and bots.
rc::d-15#	1 day	This cookie is used to distinguish between humans and bots.
test_cookie	1 day	Used to check if the user's browser supports cookies.
visitorId	1 year	Preserves users states across page requests.

Cookie	Duration	Description
_cc_cc	1 day	Collects statistical data related to the user's website visits, such as the n umber of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location , in order to enable media and marketing agencies to structure and understand their target groups to enable customised on line advertising.
_gcl_au	3 months	Used by Google AdSense for experimenting with advertisement efficiency across websites using their services.
ads/ga-audiences	1 day	Used by Google AdWords to re-engage visitors that are likely to convert to customers based on the visitor's on line behaviour across websites.
bcookie	1 year	Used by the social networking service, LinkedIn , for tracking the use of embedded services.
bscookie	1 year	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
demdex	179 days	Via a unique ID that is used for semantic content analysis, the user's n avigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
dpm	179 days	Sets a unique ID for the visitor, that allows third party advertisers to target the visitor with relevant advertisement. This pairing service is provided by third party advertisement hubs, which facilitates real-time bidding for advertisers.
IDE	1 year	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
lang	1 day	Set by LinkedIn when a webpage contains an embedded "Follow us" panel.
lidc	1 day	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
lpv#	1 day	Used in context with behavioral tracking by the website. The cookie registers the user’s behavior and navigation across multiple websites and ensures that no tracking errors occur when the user has multiple browser-tabs open.
pagead/1p-user-list/#	1 day	Tracks if the user has shown interest in specific products or events across multiple websites and detects how the user navigates between sites. This is used for measurement of advertisement efforts and facilitates payment of referral-fees between websites.
pixel.gif	1 day	Collects in formation on user preferences and/or interaction with web-campaign content - This is used on CRM-campaign -platform used by website owners for promoting events or products.
site/#	1 day	Unclassified.
ssi	1 year	Registers a unique ID that identifies a returning user's device. The ID is used for targeted ads.
u	1 year	Collects data on user visits to the website, such as what pages have been accessed. The registered data is used to categorise the user's interest and demographic profiles in terms of resales for targeted marketing.
UserMatchHistory	29 days	Ensures visitor browsing-security by preventing cross-site request forgery. This cookie is essential for the security of the website and visitor.
visitor_id#	10 years	Used in context with Account-Based-Marketing (ABM). The cookie registers data such as IP-addresses, time spent on the website and page requests for the visit. This is used for retargeting of multiple users rooting from the same IP addresses. ABM usually facilitates B2B marketing purposes.
visitor_id#-hash	10 years	Used to encrypt and contain visitor data. This is necessary for the security of the user data.
VISITOR_INFO1_LIVE	179 days	Tries to estimate the users' band width on pages with integrated YouTube videos.
w/1.0/cm	1 day	Presents the user with relevant content and advertisement. The service is provided by third-party advertisement hubs, which facilitate real-time bidding for advertisers.
YSC	1 day	Registers a unique ID to keep statistics of what videos from YouTube the user has seen.
yt-remote-cast-available	1 day	Stores the user's video player preferences using embedded YouTube video.
yt-remote-cast-installed	1 day	Stores the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	1 day	Stores the user's video player preferences using embedded YouTube video.
yt-remote-device-id	1 day	Stores the user's video player preferences using embedded YouTube video.
yt-remote-fast-check-period	1 day	Stores the user's video player preferences using embedded YouTube video.
yt-remote-session-name	1 day	Stores the user's video player preferences using embedded YouTube video.
yt.innertube::nextId	1 day	Registers a unique ID to keep statistics of what videos from YouTube the user has seen.
yt.innertube::requests	1 day	Registers a unique ID to keep statistics of what videos from YouTube the user has seen.
yt.innertube::requests	1 day	Registers a unique ID to keep statistics of what videos from YouTube the user has seen.
ytidb::LAST_RESULT_ENTRY_KEY	1 day	Stores the user's video player preferences using embedded YouTube video.

Cookie	Duration	Description
__utm.gif	1 day	Google Analytics Tracking Code that logs details about the visitor's browser and computer.
__utma	2 years	Collects data on the number of times a user has visited the website as well as dates for the first and most recent visit. Used by Google Analytics.
__utmb	1 day	Registers a timestamp with the exact time of when the user accessed the website. Used by Google Analytics to calculate the duration of a website visit.
__utmc	1 day	Registers a timestamp with the exact time of when the user leaves the website. Used by Google Analytics to calculate the du ration of a website visit.
__utmt	1 day	Used to throttle the speed of requests to the server.
__utmz	6 months	Collects data on where the user came from, what search engine was used, what link was clicked and what search term was used. Used by Google Analytics.
_omappvp	11 years	This cookie is used to determine if the visitor has visited the website before, or if it is a new visitor on the website.
_omappvs	1 day	This cookie is used to determine if the visitor has visited the website before, or if it is a new visitor on the website.
ab	1 year	This cookie is used by the website’s operator in context with multi-variate testing. This is a tool used to combine or change content on the website. This allows the website to find the best variation /edition of the site.
AnalyticsSyncHistory	29 days	Used in connection with data-synchronization with third-party analysis service.
omVisits	1 day	This cookie is used to identify the frequency of visits and how long the visitor is on the website. The cookie is also used to determine how many and which subpages the visitor visits on a website – this in formation can be used by the website to optimize the domain and its subpages.
omVisitsFirst	1 day	This cookie is used to count how many times a website has been visited by different visitors - this is done by assigning the visitor an ID, so the visitor does not get registered twice.
pa	1 day	Registers the website's speed and performance. This function can be used in context with statistics and load-balan cing.
ziwsSession	1 day	Collects statistics on the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been read.
ziwsSessionId	1 day	Collects statistics on the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been read.