CSPM's Blind Spot

The adoption of cloud-native architectures is on the rise in the development world, up 16.4% in 2022 to a total of 7.1 million organizations worldwide. In these cloud-native – or at least increasingly cloud-centric – environments, a new security market niche has emerged for tools that automate the detection and remediation of known cloud security risks and compliance lapses. IT research giant Gartner has dubbed this emerging security field Cloud Security Posture Management (CSPM). 

CSPM tools monitor cloud environments and compare configurations and performance against specified best practices and optimal states. When monitoring tools identify misconfigurations or potential security hazards, CSPM services can often automate solutions for many common issues such as security enforcement gaps or improper account permissions. When automation is unavailable, CSPM tech works like intrusion detection systems (IDS) and raises alerts for manual review. 

Cloud Security Posture Management and Kubernetes

Among organizations polled for Redhat’s State of Enterprise Open Source report in 2022, 70% confirmed using Kubernetes for container orchestration and cloud management. This number will likely rise substantially over the next few years as containerization increases and more organizations adopt cloud-first approaches to development. For IT teams that rely on CSPM services to secure cloud environments, the use of Kubernetes represents an easily overlooked, but potentially critical, gap in monitoring capabilities. 

Kubernetes manages applications the same way cloud service providers do, governing resources, tasks, and network connections. Kubernetes interfaces with storage providers to reserve necessary space for instances, allocates resources for distributing network traffic across a load balancer, and even scales pods according to observed demand. However, despite these similarities, security in Kubernetes differs radically from what users have come to expect from cloud service providers. 

By default, Kubernetes is minimally configured for the kinds of security parameters CSPM tools can monitor. To take a few examples of this minimalism:

• Kubernetes deploys container images without scanning and verification
• Configurable default values are declarative and any misconfigurations will scale throughout clusters
• Communication between pods is unrestricted unless otherwise specified
• Kubernetes does not persist data from wiped containers, limiting audit trails to live deployments

The net effect of these properties for CSPM is a fundamental lack of visibility into Kubernetes container environments. Interacting with Kubernetes clusters, CSPM tools will evaluate permissions on virtual machines, outward-facing network access, and service provider security policy conformity. But none of these activities will expose what’s really going on beneath Kubernetes’ external workload layer. 

By its nature, CSPM looks for potential risk areas or what Gartner calls the “intended state’. What actually happens is what Gartner calls the “observed state”. CPSM does not track what actually happens, only what theoretically can happen. While preparation is important, equally important is understanding what actually happens across containerized environments with the ability to capture unexpected behaviors (misconfigurations, supply chain compromises, or zero-days) or known concerning activities.

Illuminating the Kubernetes Runtime Blind Spot with Spyderbat

As Kubernetes and container security continues to challenge the capabilities of most organizations – 93% in the last year – the need for automated monitoring solutions in containers only becomes more pronounced. To fill this gap in security technology, Spyderbat has developed an eBPF-based runtime monitoring platform with granular visibility into both currently running and previously destroyed containers. With an exhaustive record of runtime behavior – down to individual system calls – for all containers, Spyderbat enables policy as code to immediately expose unexpected runtime deviations. 

To learn more and schedule a live demo, contact Spyderbat today.