Security highlights from KubeCon + CloudNativeCon 2023

KubeCon + CloudNativeCon provided valuable insights for security teams supporting cloud-native development, including securing GenAI, platform engineering and supply chains.

With its theme "Architect Your Future," this year's KubeCon + CloudNativeCon highlighted security updates and efforts to support the thriving global community and ecosystem.

The attendees -- 9,000 in person in Chicago, with an additional 5,000 attending virtually -- ranged from seasoned cloud-native technologists to first-time attendees who are newer users of Kubernetes. We heard updates from diverse groups of people from all over the world who are using cloud-native technologies, including those with full-time jobs working on Cloud Native Computing Foundation (CNCF) projects to contribute to the community.

The CNCF now has a separate event, CloudNative SecurityCon, dedicated to security, but it is still important that KubeCon + CloudNativeCon addressed cybersecurity because -- as our research on cloud security posture management shows -- security responsibility is typically split between cybersecurity, IT and Ops teams.

The conference highlighted how many of the world's best-known brands, including Boeing, Discover, American Airlines and Volvo, run on Kubernetes. They require security and reliability.

It was refreshing to see end users openly share information in keynotes and sessions about how they are addressing security. In the spirit of openness and community contribution, they shared their successes but also discussed challenges, breaches that they experienced, mistakes they made and lessons learned.

Here are the top highlights for security teams supporting cloud-native development.

GenerativeAI

As with every conference in 2023, generative AI was the big theme. CNCF Executive Director Priyanka Sharma said, "Cloud-native is the scaffolding of the AI movement," pointing out that all players are running on Kubernetes, including OpenAI, HuggingFace and Nvidia, because of the capability to scale.

The application of GenAI is poised to take off as it promises to simplify complex tasks. We can expect development teams to increasingly apply it as an assistive tool to move faster.

The challenges for cloud-native security are related to anything that scales rapidly, so security will need to ensure it can implement tools and processes to keep up. Security teams will also need to take advantage of GenAI when possible; automation and assistance -- faster answers to needed questions-- can be helpful for faster security operations.

The importance of security to the future of Kubernetes

Tim Hockin, the distinguished software engineer at Google known for fathering Kubernetes nearly a decade ago, delivered a keynote on how his baby has grown up and what the future holds.

Hockin mentioned that there is a "complexity budget" to consider when adding new use cases. Security should factor into this, and security teams need to work with IT and operations to work in lockstep to meet business goals while minimizing technical debt and complexity. There is, however, an upside for security: He cited Jago Macleod, director of engineering and Kubernetes for Google, as saying, "Security and reliability are the key, and future users won't have to worry about complexity."

Platform engineering for built-in security

Platform engineering was a major theme at the conference for streamlining the management of Kubernetes environments, and it is promising for cybersecurity. While DevOps integrates development and operations tasks to make it easier for developers to provision the infrastructure needed to build their applications, platform engineering establishes and manages the resources and services needed in platforms so developers can easily use them without having to deal with the complexity.

The message was that security should love cloud-native development because platform engineering can build security into the infrastructure. They can set up role-based access control, network policies, secure base images, and the Kubernetes clusters can be auto-updated and patched. Also discussed: Enabling distributed tracing and monitoring across all services.

But not all organizations have platform engineering, and the roles and responsibilities differ across companies. If organizations do have platform engineering or DevOps teams who can incorporate security into the infrastructure, security needs to work with them to optimize efficiency and benefit from these capabilities.

Monitoring and observability for security operations

Our research examining cloud detection and response revealed how dynamic cloud environments present visibility challenges for security. The majority of organizations reported that the lack of access to physical networks, the dynamic nature of cloud-native applications and elastic cloud infrastructure create blind spots, making security monitoring challenging. SOC teams need to collect, process, monitor and act upon information from an assortment of cloud security telemetry sources to effectively protect applications.

Vendors including Dynatrace, Cisco, Data Dog, Elastic, Cribl and Mezmo showcased features and updates that help with observability and monitoring and with security operations. While they may be used to optimize performance and cost, there are opportunities to apply them to security to increase efficiency and minimize usage of separate tools. Security teams should talk to platform engineering, IT and operations teams to find out what tools they are using and see how they may use them for security.

Isovalent also had a big week at the event with the release of extended Berkeley Packet Filter (eBPF), the Linux kernel technology that can be used for networking, security and observability. Cillium, the open source solution for network connectivity between workloads that uses eBPF, reached CNCF graduation status last month and released Tetragon 1.0 at the end of October for Kubernetes security observability and runtime enforcement.

The conference keynotes also highlighted updates to Falco, the widely used runtime security monitoring tool contributed by Sysdig, which uses eBPF to provide visibility for detection of threats across containers, Kubernetes, hosts and cloud services.

Software supply-chain security efforts

Although the topic wasn't as prevalent compared to last year, the conference addressed software supply chain security with such a large audience of open source contributors. Developers all over the world are using and contributing to open source software (OSS), but efforts are needed to set standards for security to minimize vulnerabilities. If attackers target the most commonly used OSS, it affects the community and stalls digital transformation.

The conference highlighted updates on the Open Source Security Foundation (OpenSSF), a Linux Foundation project to support development, maintenance and use of OSS. Although it experienced some leadership changes, it has been working on important training programs and projects, including its Supply Chain Levels for Software Artifacts Framework for supply chain integrity, Sigstore, a standard for signing, verifying and protecting software and OpenSSF Scorecard to help project maintainers, contributors or stakeholders assess and secure open source projects.

This is an important group organizing initiatives with U.S. government officials, the National Security Council, the Office of the National Cyber Director, the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and the National Science Foundation.

The event also included a keynote from Frederick Kautz, director of R&D at TestifySec, who was also the conference co-chair. He described that software supply chain security isn't just about OSS and software bill of materials; it is about all of the components in the applications, including dependencies. He described the importance of people and processes, as many issues can arise from human errors. I agree, and I'm looking forward to digging into these factors in my upcoming research on software supply chain security.

Enterprise Strategy Group Practice Director Melinda Marks covers technologies that help organizations scale safely while adopting faster cloud-native development cycles.

Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.

Next Steps

Cybersecurity highlights from KubeCon + CloudNativeCon Europe

Dig Deeper on Security operations and management