Protecting containers and Kubernetes to support the modern warfighter
The sheer range of data sources and formats commonly used by containerized applications also means that containers need to be protected at the application level, rather than by a hardware or database-level solution.
By improving the agility and granularity of software development, containers and Kubernetes can be beneficial tools for advancing Department of Defense system and software needs. Containerized cloud-native applications prove valuable when considering the needs of the modern warfighter, as they allow software functionality to be updated in near real-time as new capabilities are required, allowing data to serve as a potentially lifesaving resource and mission enabler.
Containers are beginning to be utilized effectively within the defense community. For example, the U.S. Air Force demonstrated the benefit of containers in 2020 when it used Kubernetes for the first time in flight on a U2 Dragon Lady reconnaissance training mission. The exciting part of this achievement was the seamless combination of the venerable U2’s legacy computer systems with modern containerized applications. Thanks to the open-source container orchestration system, Kubernetes, the aircraft could harness the power of four computers to run machine learning algorithms and utilize real-time data. In an even more ambitious effort, the Air Force updated one of the U2’s target recognition algorithms while in flight less than one month later.
Kubernetes and containers enable exciting applications, but they also require constant, reliable data availability. In some cases, there’s a growing data protection gap. Globally only 46% of companies utilizing containers back data up. Within the DoD, data loss could mean mission failure.
To take advantage of containers, agencies need to implement security best practices with containerization in mind, backup down to the application level and develop a data protection plan specific for containerized environments.
How to keep Kubernetes environments protected
Protecting data, whether in transit or at rest, should be at the forefront when using containers to enable the security of data. When data is on the move, it should be encrypted from point A to point B. If data is being moved over the internet, it should be encrypted following protocols such as Transport Layer Security (TLS).
Data at rest should also be encrypted, and this can prove challenging given the variety of structured and unstructured data sources available to Kubernetes clusters. This is one reason that DoD application development teams typically expend great effort ensuring that all components of their Kubernetes application stack have validated FIPS 140-2 compliant encryption capabilities.
The sheer range of data sources and formats commonly used by containerized applications also means that containers need to be protected at the application level, rather than by a hardware or database-level solution. This solution must not only protect a central repository of data, such as a database, file system or a storage system, but also individual applications and containerized data.
DoD systems – even DoD systems processing only controlled unclassified information (CUI) – must be compatible with NIST 800-171 controls. These security controls cover the entire lifecycle of development, deployment, and management of information systems – including the protection of the applications themselves. This is why it’s vital to build NIST 800-171 compliant protection of the Kubernetes application environment itself into the DevSecOps software development process.
Given the complexity of containerized application environments, a recovery plan also needs to verify clusters’ dependencies, create new Kubernetes views of data to be restored, and determine the cluster where recovery needs to be initiated. Once that plan has been created, then the identification of backup sources can occur.
Finally, Kubernetes components need to be updated to reflect the new storage resources created during recovery. Resiliency requirements for any mission-critical or forward deployed applications mean that all of these processes must be able to take place in a chaotic environment with a maximum of flexibility and ease-of-use.
Like virtualization, open-source systems like Kubernetes prevent reliance on one vendor's underlying hardware. Therefore, software and hardware for data protection and backup for Kubernetes should likewise be hardware-agnostic.
Modern application development using Kubernetes, containers, and DevSecOps principles offers the promise of rapid, secure application development and deployment and an end to monolithic, fragile application stacks. It’s not an exaggeration to say that container-based DevSecOps application development practices should revolutionize defense software development.
Clearly, any hardware-dependent backup solution for these dynamic environments is a giant step backward in capability, flexibility, and resiliency. The ideal data protection solution for Kubernetes will itself be a Kubernetes-based application that shares the flexibility, resiliency, and scalability of the applications it protects.
Warfighters depend on mission-critical data to keep them alive, so keeping that data secure and available is essential. From updating software on planes in flight to revolutionizing the Army’s software stack, containers offer great benefits if the data these applications depend on is protected.
Jeff Reichard is Senior Director of Enterprise Strategy at Veeam, where he focuses on risk, compliance and partnerships around cloud data management and digital Transformation.