Introduction
Modern business is very diverse and multi-vector. It includes companies that have a stable presence on the market and periodically offering new projects, and young, rapidly developing companies, and startups. However, with all the diversity of business, there is a factor that is inherent in almost all its areas. There can be no doubt that the functioning of a business cannot be imagined without the presence of computing power. And we are not just talking about permanent activities using core IT processes; many types of seasonal activities, as well as peak discrete load hours, often require additional IT capacity.
Despite all its dependence on IT processes and awareness of their necessity, any company strives to minimize its costs associated with the purchase of special equipment, licenses and software. At the same time, cost savings should not have a negative impact on the processes that ensure the quality of the final product. In order to realize these conditions, many companies are thinking about infrastructure services, considering their participation in the cloud options of web3 infrastructure.
Clouds to the rescue
If you ask the question: “What are the most frequently used IT terms?”, you will find that the leader in this ranking is likely to be the word “cloud.” However, frequent use of this term does not mean a complete understanding of its essence. Many of us think that cloud technologies are something very complex, mystical and absolutely far from everyday real processes. However, in practice, not only businesses, but each of us, one way or another, communicates with different options for cloud technologies. Day by day we come across various services and all sorts of simple or complex web solutions that cloud providers offer us. If we leave aside the virtual side of cloud technologies, we can see that the functioning of all cloud processes is provided by the same servers as the functioning of non-cloud ones. The difference is that these servers are not located near the users, but in a remote location, which creates certain advantages for the users. One of the main advantages is that server maintenance is carried out by specialists from cloud providers, and not by the users themselves. In addition, it is the cloud infrastructure, and not the user, that uses a pool of products such as Kubernetes, ML, DB, etc.
There are two reasons to use the cloud. The first reason is that the company needs cloud resources, namely: racks, virtual resources, Kubernetes and containers. The second reason is that the company needs cloud products, namely: technologies for creating their own products and the finished products themselves. Speaking about the use of racks, we are talking about an already established practice, when the user buys from the provider the right to use the entire rack with his personal access and control. The next option for using clouds is renting virtual resources. Unlike using an entire rack, where the user pays in full for the rented resources, regardless of how much they are used, leasing virtual machines allows the user to pay only for the resources that were used by him. In such option, doubts often arise about the sufficiency of ensuring the secure use of virtual machines, since they are located on a single processor and theoretically have an increased risk of vulnerabilities. In this case, responsibility for security lies with the cloud providers, and it is they who take additional measures to ensure it.
Security in the clouds
Speaking about security in clouds, and for a clearer understanding of the structure of cloud resources, it makes sense to briefly list the main elements that form their virtuality. The first element of the structure is a certain application (App), which is packaged in a Docker container, and the system from the App and Docker container is placed in the Kubernetes Pod. It should be noted that a Kubernetis Pod always contains at least two, and often more, containers. At the same time, one of the containers is always responsible for the infrastructure and network. The next ordinal element is the Kubernetis node, followed by elements such as Virtual OS and Host OS. Security provision is formed on two cases from this structure. First of all, the case is highlighted, which includes the elements “App – Docker container – Pod”. To ensure security in this case, you must do the following:
– The “readonlyRootFilesystem – true” parameter must be set.
– The hostPid and hostIPC parameters must be set to “false”.
– The host Network parameter must be set to “false”.
– The use of unsafe system calls should be prohibited.
At the next stage, we consider a case that includes the elements “Docker container – Virtual OS”. To ensure safety within this case, the following must be in place:
– All mounted volumes must be read-only.
– Capabilities are issued on the basis of least privilege drop `ALL`, after which the necessary capabilities for work.
Once again, it should be emphasized that the implementation of all of the listed actions that guarantee the security of cloud resources is the exclusive responsibility of the cloud provider.
