Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity

    Lacework Study Finds 300 Unsecured Container Orchestration Dashboards

    Written by

    Sean Michael Kerner
    Published June 18, 2018
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Container orchestration systems, including Kubernetes, are increasingly being deployed in the cloud, but not all those deployments are being done in a secure manner, according to a new report from Lacework, set to be released on June 19, 

      Lacework conducted an analysis of cloud-hosted container orchestration deployments and discovered 21,169 publicly facing container orchestration platforms. Of these, 300 deployments were found to have open administrative dashboards without any required access credentials.

      “We used Shodan and our own crawler and port scanning in order to discover and fingerprint servers and then discover ones that were truly open versus authenticated,” Dan Hubbard, Chief Security Architect, told eWEEK.

      Shodan.io is a popular search service for discovering internet connected resources. Lacework, founded in 2015, is in the business of cyber-security visibility. The company’s Polygraph platform provides security visibility into potential misconfigurations, threats and breaches inside of application infrastructure residing in data centers or in the cloud.

      The issue of open container orchestration dashboards is not a new one and was also highlighted by security firm RedLock in a February 2018 report. RedLock found that electric automobile vendor Telsa had left its Kubernetes cluster open without any credentials and was being used by fraudsters to mine crypto-currency. More recently, security firm Kromtech reported on June 8 that a Kubernetes cluster operated by Weight Watchers was left open without authentication. 

      Kubernetes wasn’t the only container orchestration system discovered by Lacework, but it was the most broadly deployed. Kubernetes represented 76 percent of the container orchestrators discovered in the cloud by Lacework, while 19 percent of clusters were running Docker Swarm.

      AWS Hosts Most Discoverable Dashboards

      Lacework’s analysis found that 95 percent of the discoverable container orchestration system dashboards were hosted on Amazon Web Services (AWS). Lacework conducted its scanning during the first week of June, which coincidentally is also the week that Amazon made its managed Elastic Container Service for Kubernetes (EKS) service generally available. Kubernetes can be deployed by organizations on their own in AWS, or they can now choose to run EKS. For the Kubernetes clusters found with open dashboards on AWS, Hubbard said that they were installations outside of Amazon’s EKS managed service.

      “EKS deploys with a secure dashboard and management plane by default and I’m pretty sure you cannot edit that unless you run your own management,” Hubbard said.

      While discovering 300 entirely open container orchestration system dashboard is not a good thing, Hubbard agreed that it’s safe to say that a large percentage of deployed container orchestration platforms are not open. 

      “This of course is only one aspect of security so hard to say if they are secure,” Hubbard said. “Also an important note, we did not perform any brute force password or dictionary attacks so we cannot comment on how secure the authentication process is.”

      The Lacework report observed that the cluster orchestration system dashboards that were open to discovery on the internet could potentially disclose information that might be useful to attackers.

      “Within most discovered systems, the company name could be derived from certificates and hostnames even without access,” the report states. “These organizations, and the others who will replicate their mistakes, are opening themselves up to brute force password and dictionary attacks. “

      Best Practices

      Looking specifically at Kubernetes, Hubbard recommended organizations take the following measures to improve security:

      • Configure Kubernetes pods to run read-only file systems 
      • Restrict privilege escalation in Kubernetes
      • Build a pod security policy
      • Run Role Based Access Control (RBAC)

      Overall, Hubbard suggests that organizations understand their inventory of applications with public clouds and perform continual audit and configuration scanning with compliance checks, for workloads and security zone policies

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and writer for several leading IT business web sites.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×