Cloud native architecture is a game changer for security at scale. Whether the architecture is used on-premises or in the cloud, capabilities to ease the management of IT assets are continuously improving. Yes, there’s a long way to go in terms of simplifying interfaces and reducing barriers in terms of skill set requirements for managing cloud native platforms and server-less infrastructure , built on cloud native platforms, and this too will come in time.
How security and assurance are managed changes in a cloud native architecture from traditional infrastructure. The standardized methods used on traditional infrastructure that require distributed configuration management by each organization do not work in a cloud environment. This is good news as this architecture presents an opportunity to ease security management and make it accessible to businesses of all sizes.
Security rooted in hardware is becoming more accessible now that trusted platform modules (TPMs) are near ubiquitous and trusted execution environments or secure enclaves are becoming a more common part of the CPU. This allows for increased use of these components to assure systems, applications, and data are as expected using attestation inherent to the system measuring current state values against a set of expected values for a level of compliance. Open source projects are gaining traction through efforts such as the Confidential Computing Consortium (CCC), the Cloud Native Computing Foundation (CNCF), and the Internet Engineering Task Force (IETF)to scale management, built-in resiliency, and assure the integrity of systems and software in cloud native platforms.
Understanding why a cloud native architecture presents a game change is important. As we transitioned from traditional infrastructure to virtualized, and now to cloud native, a tremendous amount of work has been put in by thousands of engineers to architect resiliency, flexibility, and isolation into this updated architectural design. Layers have been created to allow for quick updates that are focused on specific code segments (e.g. DevOps and microservices) as well as the ability to move workloads to aid in quick remediation from a vulnerability or to recover from an attack.
The cloud native architecture has three possible areas to provide integrity assessments, with the most efficient and elegant being through trusted assurance rooted in hardware using a technology called attestation. This method utilizes the TPM,vTPM, and TEE of the server host. The second and most commonly used method today stems from the capabilities used in virtualized and traditional environments, where an SSH connection or API is used to interrogate a system or application, comparing results to a set of expected configuration settings. This method works and is part of several cloud security posture management (CSPM) and cloud native application protection (CNAPP) products today. These capabilities are needed still today for assurance, but how integrity is assured in cloud native platforms should begin to shift over the coming year with some of these products integrating results from the first method rather than performing the interrogation themselves.
This transition will take several years to be realized more fully and is possible to achieve with the cloud orchestration platform and existing libraries today. CSPM and CNAPP products have the opportunity to adapt to continue to serve organizations that require a composite picture of assets as described in the transition steps below. The third method is already available in at least one commercial cloud provider, and it assures a workload by running it completely within a Trusted Execution Environment (TEE) to prevent tampering. The third option isa very good one if you have the resources to run fully in a TEE.
The first method introduced in this blog is meant to cut costs, while providing an elegant solution that is built-in to the container orchestration platform, obviating the need for additional software that interrogates the contents of a container and having to manage that external software.
Steps to realize automation through attestation, built-in at scale:
1. Libraries supporting the integrity assessment of code in a container using attestation are now available. Multiple proofs of concepts using this technique have been conducted, including one from RedHat and the one described below in an internship project by John Schmidt while at the Center for Internet Security (CIS) in 2023. Sean Turner assisted in the project, ensuring options for key management and cryptographic options were appropriately selected.
2. A range of engineers from several organizations are working to architect the expected patterns for automated configuration and integrity assurance up the stack in a cloud native environment. This step provides documentation to unify and standardize the approaches to assure policies and measurements are as expected using attestation consistently across platforms.
3. Reporting of compliance against a set of policies or measurementsto governance, risk, and compliance (GRC) management solution, CNAPP, or CSPM product if one is used. Alternatively, reliance could be maintained in the container management system to ensure compliance and include remediation and isolation capabilities within a cloud native environment.
We will likely see this capability emerge gradually since it is built on open source software and cloud management platforms will have to integrate and ease the configuration process for this capability. First, we’re likely to see a basic capability emerge across the commonly used container orchestration platforms (e.g. VMWare/Broadcom, RedHat OpenShift, and Xen). The initial capability might provide a method to create templates to ensure software to a set of expected policies and measurements (e.g. benchmarks). Over time, these templates should become standardized to levels and available for selection, such as those defined by the CIS Benchmarks. The first iterations will be much like today’s cloud platforms, where the administrator will need to be knowledgeable.
Within a year or two, we should begin to see steady improvements where generic templates are available to select compliance levels of popular software and operating systems from the container orchestration platform. The ability to establish policies and measurements of additional software packages will grow in time and the ability to manage this capability will become easier as well. We will also see the ability to report compliance evolve after the assurance of integrity and configuration settings is more widely available.
If you are interested in learning more or joining in to help progress this work, the linked IETF Remote Attestation working group, Confidential Computing Consortium, Cloud Native Computing Foundation, and open source projects are all possible options.
Proof of Concept Project summary
By: John Schmidt
A project was proposed to align policies to both CIS Ubuntu 20.04 LTS v2.0.1 server andKubernetes v1.7.1 benchmarks where drift could be measured with TPM assurance. The project sought to assist underserved State, Local, Tribal, and Territorial (SLTT) organizations in providing low-cost, built-in alternatives to paid software assurance platforms. After some research, it seemed fitting that Linux IMA, considering its demonstrated remote attestation capabilities, be tested for the capability. Linux IMA is a subsystem within the Linux kernel introduced in the Linux 2.6.30 kernel in 2009. It can measure, store, and appraise TPM-assured IMA file hashes against a stored value to confirm file integrity. IMA can also enforce default and custom-loaded policies, offering the ability for a greater number of benchmarks covered. Examples of such policies may include creating a runtime custom policy noting file changes as they occur or directing IMA not to measure event logs. A runtime policy could include a response to prevent access to an object if a file hash does not match a stored value.
Testing took place in a vSphere 8 environment, where a single Kubernetes cluster was created with vTPM support for IMA and with one deployed pod running Ubuntu 20.04 LTS server. Testing showed up to 54.5% of the worker node level 1 recommendations for CIS’s Kubernetes v1.7.1 benchmark were possible out-of-the-box with existing tunable IMA policies. Accordingly, the Ubuntu 20.04 LTS v2.0.1 server benchmark recommends some file integrity management. However, it recommends downloading AIDE, athird-party program. Because of security concerns, cost, and ease of management, built-in solutions are preferred for those with fewer resources. The proof of concept proved the capability to ensure a set of policies and measurements could be attested for container environments, including operating systems and applications running in containers.
Reviewers: Sean Turner, John Schmidt, and Tony Sager