As Kubernetes becomes the new standard for the development and deployment of cloud hosted applications, InfoSec teams need to own everything around cloud native machine identity security. A recent cloud native security survey highlighted that 94% of companies operating Kubernetes clusters in production experienced a security incident in the last 12 months with the most common vulnerabilities relating to a certificate misconfiguration.
Venafi has announced that its flagship product for cloud native machine identity management, TLS Protect for Kubernetes, now has tighter integration with Venafi Trust Protection Platform (TPP). This combined solution means Venafi customers can use TLS Protect for Kubernetes to apply the same policy-driven security controls across both modern Kubernetes and traditional infrastructure and maintain FIPS compliance if needed. InfoSec teams can use their current TPP solution and extend security policy to manage access to public and private CAs, and monitor machine identities across platforms built using Kubernetes or OpenShift.
Using TLS Protect for Kubernetes, Venafi customers can now:
- Obtain vital visibility of X.509 certificates and their configuration status across Kubernetes/OpenShift clusters
- Build a security posture to identify and mitigate threats that specifically target vulnerabilities in cloud native environments
- Enforce security policies without slowing developer teams deploying workloads on ever faster release cycles
- Ensure full operational FIPS 140-2 compliance of cert-manager across cloud native environments
Cloud native visibility with JTLS Protect for Kubernetes
TLS Protect for Kubernetes extends the Venafi Control Plane to provide in-depth visibility of certificate configurations in Kubernetes and OpenShift clusters. The combined solution will discover and report all X.509 certificates, whether they are public trusted certificates used for ingress endpoints or certificates used to secure microservices using private PKI. Using TLS Protect for Kubernetes, InfoSec can deliver consistent security approaches for developers and have full visibility and control of each machine identity across the whole platform.
To see how this works, this video demo explains how TLS Protect for Kubernetes integrates with the Venafi Control Plane to instantly discover certificates operating in cloud native environments.
Cloud native control with TLS Protect for Kubernetes
The inherent nature of modern developer-led automation is driving huge usage both for public and private certificates. Venafi TPP integration with TLS Protect for Kubernetes will align and enforce security policy controls for cloud native developer teams by proactively monitoring access to CAs and sub-CAs. It will prevent operational and security risks caused by manually signed certificates, as well as other certificate misconfigurations. In modern environments where the scale of certificates is growing fast, TLS Protect for Kubernetes gives developer teams a consistent basis to deploy workloads securely, where certificate requests are automated alongside effective PKI controls to ensure a validated and auditable chain of trust exists for every workload deployed to a Kubernetes cluster.
Built with cert-manager
Jetstack, now Venafi, is the company behind cert-manager, the highly successful cloud native open source project that has become the industry standard for fully automating machine identities in cloud native environments. Cert-manager became a CNCF project in November 2020.
It is now extremely common for large company platform teams to be actively deploying cert-manager to clusters to automate the issuance and renewal of X.509 certificates. TLS Protect for Kubernetes builds on cert-manager to provide a comprehensive cloud native machine identity solution for enterprises that are deploying cert-manager across multiple production clusters. Using TLS Protect for Kubernetes to deploy cert-manager to clusters hardens the organization’s security posture by building-in consistency and security. It provides a means to scale cloud native infrastructure with multi-cluster visibility of each machine identity, including alerts for when misconfigurations are detected with remediation advice for SRE teams.
Zero Trust cloud native security using a service mesh
As cloud-native infrastructure grows, many large companies are deploying a service mesh solution to underpin Zero Trust architectures and enforce workload security for fast-growing multi-cluster environments. For example, Istio is a popular, fully-featured service mesh with a rich set of capabilities for traffic routing, policy control, and observability. Cert-manager is regularly deployed with Istio to ensure integration with enterprise PKI by supporting CAs that are already in production, including HashiCorp Vault. With JTLS Protect for Kubernetes, security tems can enforce security policy using Vault to ensure a validated root of trust for all workload identities using the service mesh and use the TPP integration for auditing and visibility of these signed certificates.
Cloud native FIPS compliance using TLS Protect for Kubernetes
As customers' platform operations adopt cloud native infrastructure, compliance applies equally to the modern platform infrastructure in the same way it holds for the traditional infrastructure. TLS Protect for Kubernetes supports FIPS 140-2 compliant builds of cert-manager to meet US Government requirements for information security and processing using cryptographic technology. This is important for companies that are progressively using cert-manager as part of their Kubernetes operation and are supplying services directly to US Government agencies.
As Kubernetes adoption increases and clusters spin up across an enterprise, misconfiguration and out-of-date software can present significant security risks. With TLS Protect for Kubernetes, companies can easily achieve operational consistency of these critical software components with hardened and secure builds of cert-manager that are not only FIPS 140-2 compliant but also signed directly by Venafi. When each individual cluster is running the exact same hardened version of cert-manager, the security posture is improved, since all private and public certificate configurations are proactively managed by TLS Protect for Kubernetes to prevent security vulnerabilities. This gives platform teams certainty and consistency by standardizing cert-manager from TLS Protect for Kubernetes across all clusters, whilst meeting important security requirements from InfoSec which are all reported back to the TPP solution.
To learn more about TLS Protect for Kubernetes visit the product page. Platform teams using cert-manager can connect a cluster for free and gain instant access to the TLS Protect for Kubernetes solution interface to proactively monitor ingress and certificate configurations.