Cloud Security, DevSecOps

Akamai offers micro-segmentation for Kubernetes clusters

Cloud and service mesh

Akamai on Thursday announced that it’s now offering micro-segmentation for Kubernetes (K8) clusters, a capability that promises to make it much more difficult for attackers to move laterally across K8 clusters.

In a blog post, Akamai researchers said in recent years, the industry has seen a sharp rise in attacks on containers, the code “pods” that make up a K8 cluster. These clusters have become popular, powering a micro-services architecture at the likes of Amazon, Google, and Netflix. As a way to avoid detection, the researchers said attackers increased their use of evasion and obfuscation techniques on K8 clusters. This included packing the payloads, using rootkits, and running malware straight from memory.

Red Hat’s 2022 State of Kubernetes Security Report found that 93% of respondents experienced at least one security incident in their K8s environments in the last 12 months. Attackers can potentially exploit these incidents to install ransomware and other types of malicious software. 

“Kubernetes is inherently a flat network, meaning there’s no separation of assets, so if someone gets into the network, they can go wherever they want,” explained Dan Petrillo, director of product marketing at Akamai. “You have to assume a breach and assume that initial infection is possible. And microsegmentation is how you act on that notion of assuming a breach.”

Petrillo said where before a threat actor could easily spread their malware or leverage it as a means to getting to a more lucrative asset, with Akamai Guaridcore Segmentation — a product that Akamai acquired in October 2021 — they can’t move laterally as easily.

“Maybe they could hinder one Kubernetes cluster and it might be a bad day for one admin,” said Petrillo. “But it’s not going to be a disaster, not going to be a newsworthy event, and it’s not going to mean paying a hefty ransom.”

Frank Dickson, group vice president for security and trust at IDC, said segmenting applications has become absolutely critical, calling it the "foundation of zero trust."

“Without segmenting Kubernetes applications, you can guarantee that you’ll have a future trust problem,” said Dickson. “It matters because not all applications are of equal value and do not have the same hygiene. Your application that may provide cost estimates for potential customers is of lower value than your ecommerce applications. You don’t want to provide attackers a backdoor into your financial applications because of breach of a cost calculator with lower levels of security. Segmenting applications prevents the breach of one application from instantly becoming a breach of all applications.”

John Grady, a principal analyst who covers network security at Tech Target’s Enterprise Strategy Group, added that the scale and ephemeral nature of resources in Kubernetes environments has been difficult for traditional network security practices and technologies to keep pace with. Grady said the first step in any segmentation project is understanding the traffic flows and relationships between resources to ensure only entities that should communicate with one another are, and that policies put in place will not inadvertently “break” the application: the idea being that security teams can set policies to block lateral movement and not disrupt the business.

“The next is deploying controls to enforce the policy,” Grady said. “In both cases, Kubernetes environments pose a challenge: it’s hard to aggregate the visibility necessary to write the policy, and difficult to deploy enforcement controls at the rate of speed with which K8 environments operate at. By using K8 labels to map the workflows and along with the native enforcement capabilities in the K8 Container Network Interface (CNI), Akamai is making it easier to deploy segmentation confidently in containerized environments.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.