GDPR Turns Two! Has Anything Really Changed?

It’s been two years since the advent of the EU’s groundbreaking GDPR scheme, which was implemented in an attempt to force data collectors to tighten up security over the information they collected on users of their services and to provide more transparency and standardization about exactly what and how they collect data. The GDPR is far from an exercise in toothless bureaucracy, though, with penalties faced by those found to be in breach of the regulations regarded as among the most stringent ever proposed.

With data breaches still a regular occurrence and increasingly among the primary objectives of cyber threat actors, just how successful has the GDPR “stick” of punishing fines been after two years of implementation? Has the “fear of a GDPR fine” changed the landscape of data protection, or merely increased the burden on organizations already struggling to deal with gathering and securing the masses of data needed to drive their businesses forward?

GDPR: Fines in Action

There have been around 340 GDPR fines amounting to a total of around $180 million over the last two years, although two of the largest fines amounting to another $350 million together are still to be confirmed in the coming weeks. That could total up to around half a billion USD before 2020 is done and dusted.

The first fine under GDPR was enacted on a bank in Bulgaria for ignoring the right to be forgotten, almost immediately after GDPR became mandatory in May 2018. The first UK GPDR fine was declared more than a year later, in December 2019, regarding a London firm called Doorstep Dispensaree Ltd, that supplies medicines to thousands of elderly care home residents. The company stored 500,000 medical documents containing sensitive information outside its offices, in unlocked containers. This earned the company a £275,000 fine for breaching GDPR rules. The most interesting facet of this incident is that it did not involve any digital record of any kind, only paper documents.

However, in the 18 months that have passed since this incident, many other organizations and companies have joined the not-so-prestigious club. The most recent country to impose a GDPR fine was Ireland, which in May 2020 fined Tusla, a child and family agency, for disclosing the location of children to unauthorised parties.

While the smallest fine has been a meager €90 received by a hospital in Hungary in November 2019, some of the larger fines have been extremely severe:

  • British Airways – $229 million proposed fine for a data breach affecting half a million customers.

  • Marriott Hotels – $123 million proposed fine, or 3% of global annual revenue, for a breach leaking records of 339 million guests.

  • Google – fined $57 million for lack of transparency on how its Android operating system processed user data.

  • TIM (Italian telecommunications operator) – fined  $27.8 million for unlawful data processing, non-compliant aggressive marketing strategies, invalid collection of consent and an excessive data retention period.

  • Österreichische Post AG (Austrian postal service) – fined $20 million for illegally using marketing data.

  • Deutsche Wohnen SE (German real-estate company) – fined $16.5 million for retaining historical data without a lawful basis.

  • Eni Gas e Luce (Italian gas and electric company) – fined $13 million for processing personal data and activating unsolicited contracts.

  • 1&1 Telecom GmbH (German telecom) – fined $11 million for failing to have sufficient protections to prevent unauthorized access to customer information.

  • Dixons Carphone, UK – fined $630,000 for a data breach that exposed customer data to hackers for over 9 months.

  • Equifax – fined $630,000 for failing to protect user data belonging to 15 million British customers in its 2017 data breach.

(note: organizations are always fined in their local currency, the above figures are approximate USD equivalents at the time of writing)

The Marriott and British Airways cases are still under review, with the final decisions expected to be announced in August 2020.

Additional decisions are being considered regarding fines for Google, Twitter and fashion retailer H&M. It seems that the larger the company and the heavier the fine, the longer it takes the regulators to charge the violators and then to actually fine them.

Has COVID-19 Impacted GDPR?

On May 4, 2020, the Hungarian Government issued a Decree that suspends, during the COVID-19 state of emergency, the one-month deadline that controllers have under the GDPR to reply to data subject rights requests. The Decree also allows public entities to refuse or suspend freedom of information (“FOIA”) requests in certain situations. The Decree has been heavily criticized by civil society groups and prompted scrutiny by the European Data Protection Board (“EDPB”). For organizations with data collection activities that fall under Hungarian jurisdiction, it is worth noting that the EU may well challenge the Hungarian government’s suspension and could even rule it illegal.

More generally, it is likely that the ongoing trend of “Working from home” will also have some effect on data breaches, and these are likely to increase in the 2nd half of 2020, triggering additional GDPR notifications and responses. The International Association of IT Asset Managers (IATAM) has warned that at-home work due to the COVID-19 pandemic is leading to a spike in data breaches that’s greater than anticipated.

Contemporary Trends, Threats And Challenges

GDPR was supposed to reduce the overall number and severity of data breaches by providing companies with an incentive to avoid being fined. But evidence suggests that the effect was not conclusive or uniform across all member countries since it came into effect.

In Britain, for example, breach reporting increased almost 324.24% between May 2018 and May 2019, with the Information Commissioner’s Office (ICO) recording 14,000 breaches over the period. However, the same body reported it received 19% fewer data breach notifications in the first quarter of 2020 than it did in the same period the previous year. This might indicate less fear of the regulator, either due to fines being less punitive than anticipated or to the UK’s impending exit from EU regulation (“Brexit”) and uncertainty about what, if any, regulations businesses will face from the ICO once GDPR is no longer part of British law.

The recent DBIR report noted that hackers are specifically looking for credentials and personal data. 58% of attacks resulted in compromised personal data, and 37% of attacks either used or stole user credentials. This spells bad news for organizations since theft of such data will almost always trigger GDPR notification. Another recent trend is that aggressive ransomware gangs extort enterprise victims not only by denying them access to their own corporate data but also by threatening to dump that data in the public domain, again triggering breach notifications and all the subsequent headaches.

Has the GDPR Achieved Its Aims?

GDPR redefined privacy as a fundamental right and made our corporate entities stewards of our data. As a result, proper data identification and handling is mandated under GDPR with fines as a severe stick for non-compliance. To measure its success, however, we need to look not so much at the total amount of fines collected, but rather at the mindshift it has created.

This is not limited to European territories, of course. The regulation has become a model for many national laws outside EU, including Chile, Japan, Brazil, South Korea, Argentina, Indonesia and Kenya. The California Consumer Privacy Act (CCPA), adopted on 28 June 2018, has many similarities with GDPR.

GDPR and similar regulations such as those mentioned above have encouraged organizations to try and prevent or limit the risks of a potential data breach by upgrading and improving their cybersecurity measures, and that can only be a good thing for all.

However, it remains a challenge to many businesses to factor in the cost of non-compliance, when fines can amount to as much as 4% of global annual turnover. For this reason, many businesses operating within the jurisdiction of GDPR or similar regulations have seen fit not only to upgrade their cybersecurity defences but also to instate a Data Protection Officer to take responsibility for overseeing compliance.

Conclusion

There is no doubt that GDPR has changed the landscape of data collection and protection since May 2018, not just in Europe but across much of the world’s markets. However, despite the penalties, the data breaches keep on rolling, and customer data keeps on being leaked and traded.

To some extent, this can be seen as enterprise still playing catch up on years of poor or neglected data protection practices and legacy security technology. The threat actors are still out there punishing those that have not upgraded the technology they need to secure their clients’ data, and the regulators are out there punishing those that have not upgraded their data collection procedures and policies. If that tells us anything, it should be that data protection is a fundamental priority of every data collector. If an organization gets punished by the bad guys, it can expect the regulators to be lining up right behind them.

To learn more about how SentinelOne can help your business achieve GDPR and similar regulatory compliance, click here.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Jamf ups its IPO range, now targets a valuation of up to $2.7B

Today Jamf, a software company that helps other firms manage their Apple devices, raised its IPO price range.

The company had previously targeted a $17 to $19 per-share range. A new SEC filing from the firm today details a far higher $21 to $23 per-share IPO price interval.

Jamf still intends to sell up to 18.4 million shares in its debut, including 13.5 million in primary stock, 2.5 million shares from existing shareholders and an underwriter option worth 2.4 million shares. The whole whack at $21 to $23 per share would tally between $386.4 million and $423.2 million, though not all those funds would flow to the company.

At the low and high-end of its new IPO range, Jamf is worth between $2.44 billion and $2.68 billion, steep upgrades from its prior valuation range of $1.98 billion to $2.21 billion.

Jamf follows in the footsteps of recent IPOs like nCino, Vroom and others in seeing demand for its public offering allow its pricing to track higher the closer it gets to its public offering. Such demand from public-market investors indicates there is ample demand for debut shares in mid-2020, a fact that could spur other companies to the exit market.

Coinbase, Airbnb and DoorDash are three such companies that are expected to debut in the next year’s time, give or take a quarter or two.

Results, multiples

In anticipation of the Jamf debut that should come this week, let’s chat about the company’s recent performance.

Observe the following table from the most-recent Jamf S-1/A:

From even a quick glance we can learn much from this data. We can see that Jamf is growing, has improving gross margins and has managed to swing from an operating loss to operating profit in Q2 2020, compared to Q2 2019. And, for you fans out there of adjusted metrics, that Jamf managed to generate more non-GAAP operating income in its most recent period than the year-ago quarter.

In more precise terms:

  • Jamf grew from 26.5% to 29.0% on a year-over-year basis in Q2 2020
  • Its gross margin grew by 6% in gross terms, and 8.3% in relative terms
  • Its non-GAAP operating income grew 123.4%, to 150.9% in Q2 2020 compared to the year-ago quarter

Profits! Growth! Software! Improving margins! It’s not a huge surprise that Jamf managed to bolster its IPO price range.

Finally, for the SaaS-heads out there, the following:

This data lets us have a little fun. Recall that we have seen possible valuations for Jamf at IPO that started at $1.98 billion to $2.21 billion, and now include $2.44 billion and $2.68 billion? With our two ARR ranges for the end of Q2, we can now come up with eight ARR multiples for Jamf, from the low-end of its initial IPO price estimate, to the top-end of its new range.

Here they are:

  • Multiple at $1.98 billion valuation and $238 million ARR: 8.3x
  • Multiple at $1.98 billion valuation and $241 million ARR: 8.2x
  • Multiple at $2.21 billion valuation and $238 million ARR: 9.3x
  • Multiple at $2.21 billion valuation and $241 million ARR: 9.2x
  • Multiple at $2.44 billion valuation and $238 million ARR: 10.3x
  • Multiple at $2.44 billion valuation and $241 million ARR: 10.1x
  • Multiple at $2.68 billion valuation and $238 million ARR: 11.3x
  • Multiple at $2.68 billion valuation and $241 million ARR: 11.2x

From that perspective, the pricing changes feel a bit more modest, even if they work out to a huge spread on a valuation basis.

Regardless, this is the current state of the Jamf IPO. Rackspace also filed a new S-1/A today, but we can’t find anything useful in it. A bit like the Jamf S-1/A from Friday. Perhaps we’ll get a new Rackspace document soon with pricing notes.

And, of course, like the rest of the world we await the Palantir S-1 with bated breath. Consider that our white whale.

The Good, the Bad and the Ugly in Cybersecurity – Week 29

The Good

Cybercriminals often enjoy the fruits of their labor, and few ever get to pay for their malicious deeds, so this week we celebrate two victories for the forces of good. 32-year old Russian national Yevgeny Nikulin, who stole 117 million user details from LinkedIn and Dropbox in 2012, lived a luxurious lifestyle in Moscow, driving his Lamborghini Huracan around the city streets. Nikulin was arrested in the Czech Republic in 2016 and extradited to the US in 2018, where his lawyers tried to avoid trial due to his mental condition. Nevertheless, after undergoing psychiatric evaluation, he was tried and has now been convicted. He is scheduled to be sentenced on September 29, although his lawyers said they would file an appeal in the interim.

U.S Attorney David L. Anderson told CBS station that the conviction was a warning to would-be-hackers, and that “Computer hacking is not just a crime, it is a direct threat to the security and privacy of Americans. American law enforcement will respond to that threat regardless of where it originates.”

The penalty for his crimes could be up to 30 years in prison plus a hefty fine.

On the same day as Nikulin’s conviction, a UK court found Lewis Howe, 27, guilty of hacking his former employer as a retaliation for being let go from the “Flying Trade Group”.

Howe was fired on October of 2018 and launched a cyber attack on November 16 where he gained unauthorised access to the domain controller, which he utilized for deleting key user accounts and knocking computers off the network. He then tried to cover his tracks by deleting the server history. The disruption lasted several days, costing an estimated £180,000 in damages. He was sentenced to 10 months prison time, suspended for 24 months, and is required to complete 240 hours of community service and 30 rehabilitation days. He is also on a 6-month long curfew between 7pm to 7am and will be electronically monitored.

On both sides of the Atlantic, it seems that cybercrime doesn’t pay!

The Bad

This week saw an unprecedented, coordinated attack against the verified Twitter accounts of multiple celebrities and big-name companies, which were then used in concert to perpetrate a large-scale Bitcoin scam.

Hackers were able to gain control of 130 Twitter accounts belonging to some of the platform’s most prominent users, including the likes of Democratic presidential candidate Joe Biden, former President Barack Obama, Elon Musk, Kim Kardashian West, Kanye West, Bill Gates and the verified Twitter accounts of corporate giants Apple and Uber. Once the accounts were under the control of the attackers, they were used to tweet one of several versions of the following scam:

The net gain for the attackers so far has been USD $117,000, or around 13 Bitcoins at the current price, collected over a period of 24 hours from 392 transactions.

After realizing they had been hacked, Twitter immediately blocked all verified accounts across the service, not just those that had sent out the scammers’ message. While it is known that Twitter’s internal tools were leveraged in the attack, it is still unclear how the hackers gained access to Twitter internal systems, other than that “a coordinated social engineering attack” targeted some Twitter employees. The investigation continues as Twitter seek both to understand what happened and to improve security. Law enforcement agencies are also conducting their own investigations.

The Ugly

The world races to find a vaccine for Covid-19, and thousands of scientists are working day and night to help the world to return to normality. But some prefer to take shortcuts and simply steal the research done by others. In a very unusual public announcement by the UK National Cyber Security Centre (NCSC), Russian intelligence services were accused of targeting vaccine research and development organizations in the US, Canada and UK.

The UK Foreign Secretary, Dominic Raab, said: “It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic. While others pursue their selfish interests with reckless behaviour, the UK and its allies are getting on with the hard work of finding a vaccine and protecting global health. The UK will continue to counter those conducting such cyber attacks, and work with our allies to hold perpetrators to account”.

The actors said to be responsible are the infamous cyber espionage group variously known as APT29, Cozy Bear and The Dukes. Canada’s Communications Security Establishment (CSE), responsible for Canada’s foreign signals intelligence, said that the Russian APT group “is likely to continue to target organizations involved in COVID-19 vaccine research and development”.

For their part, Kremlin spokesperson Dmitry Peskov said Thursday that Russia “has nothing to do” with the hacking attacks targeting organizations involved in coronavirus vaccine development.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Who’s Behind Wednesday’s Epic Twitter Hack?

Twitter was thrown into chaos on Wednesday after accounts for some of the world’s most recognizable public figures, executives and celebrities starting tweeting out links to bitcoin scams. Twitter says the attack happened because someone tricked or coerced an employee into providing access to internal Twitter administrative tools. This post is an attempt to lay out some of the timeline of the attack, and point to clues about who may have been behind it.

The first public signs of the intrusion came around 3 PM EDT, when the Twitter account for the cryptocurrency exchange Binance tweeted a message saying it had partnered with “CryptoForHealth” to give back 5000 bitcoin to the community, with a link where people could donate or send money.

Minutes after that, similar tweets went out from the accounts of other cryptocurrency exchanges, and from the Twitter accounts for democratic presidential candidate Joe Biden, Amazon CEO Jeff Bezos, President Barack Obama, Tesla CEO Elon Musk, former New York Mayor Michael Bloomberg and investment mogul Warren Buffett.

While it may sound ridiculous that anyone would be fooled into sending bitcoin in response to these tweets, an analysis of the BTC wallet promoted by many of the hacked Twitter profiles shows that over the past 24 hours the account has processed 383 transactions and received almost 13 bitcoin — or approximately USD $117,000.

Twitter issued a statement saying it detected “a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools. We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.”

There are strong indications that this attack was perpetrated by individuals who’ve traditionally specialized in hijacking social media accounts via “SIM swapping,” an increasingly rampant form of crime that involves bribing, hacking or coercing employees at mobile phone and social media companies into providing access to a target’s account.

People within the SIM swapping community are obsessed with hijacking so-called “OG” social media accounts. Short for “original gangster,” OG accounts typically are those with short profile names (such as @B or @joe). Possession of these OG accounts confers a measure of status and perceived influence and wealth in SIM swapping circles, as such accounts can often fetch thousands of dollars when resold in the underground.

In the days leading up to Wednesday’s attack on Twitter, there were signs that some actors in the SIM swapping community were selling the ability to change an email address tied to any Twitter account. In a post on OGusers — a forum dedicated to account hijacking — a user named “Chaewon” advertised they could change email address tied to any Twitter account for $250, and provide direct access to accounts for between $2,000 and $3,000 apiece.

The OGUsers forum user “Chaewon” taking requests to modify the email address tied to any twitter account.

“This is NOT a method, you will be given a full refund if for any reason you aren’t given the email/@, however if it is revered/suspended I will not be held accountable,” Chaewon wrote in their sales thread, which was titled “Pulling email for any Twitter/Taking Requests.”

Hours before any of the Twitter accounts for cryptocurrency platforms or public figures began blasting out bitcoin scams on Wednesday, the attackers appear to have focused their attention on hijacking a handful of OG accounts, including “@6.

That Twitter account was formerly owned by Adrian Lamo — the now-deceased “homeless hacker” perhaps best known for breaking into the New York Times’s network and for reporting Chelsea Manning‘s theft of classified documents. @6 is now controlled by Lamo’s longtime friend, a security researcher and phone phreaker who asked to be identified in this story only by his Twitter nickname, “Lucky225.”

Lucky225 said that just before 2 p.m. EDT on Wednesday, he received a password reset confirmation code via Google Voice for the @6 Twitter account. Lucky said he’d previously disabled SMS notifications as a means of receiving multi-factor codes from Twitter, opting instead to have one-time codes generated by a mobile authentication app.

But because the attackers were able to change the email address tied to the @6 account and disable multi-factor authentication, the one-time authentication code was sent to both his Google Voice account and to the new email address added by the attackers.

“The way the attack worked was that within Twitter’s admin tools, apparently you can update the email address of any Twitter user, and it does this without sending any kind of notification to the user,” Lucky told KrebsOnSecurity. “So [the attackers] could avoid detection by updating the email address on the account first, and then turning off 2FA.”

Lucky said he hasn’t been able to review whether any tweets were sent from his account during the time it was hijacked because he still doesn’t have access to it (he has put together a breakdown of the entire episode at this Medium post).

But around the same time @6 was hijacked, another OG account – @B — was swiped. Someone then began tweeting out pictures of Twitter’s internal tools panel showing the @B account.

A screenshot of the hijacked OG Twitter account “@B,” shows the hijackers logged in to Twitter’s internal account tools interface.

Twitter responded by removing any tweets across its platform that included screenshots of its internal tools, and in some cases temporarily suspended the ability of those accounts to tweet further.

Another Twitter account — @shinji — also was tweeting out screenshots of Twitter’s internal tools. Minutes before Twitter terminated the @shinji account, it was seen publishing a tweet saying “follow @6,” referring to the account hijacked from Lucky225.

The account “@shinji” tweeting a screenshot of Twitter’s internal tools interface.

Cached copies of @Shinji’s tweets prior to Wednesday’s attack on Twitter are available here and here from the Internet Archive. Those caches show Shinji claims ownership of two OG accounts on Instagram — “j0e” and “dead.”

KrebsOnSecurity heard from a source who works in security at one of the largest U.S.-based mobile carriers, who said the “j0e” and “dead” Instagram accounts are tied to a notorious SIM swapper who goes by the nickname “PlugWalkJoe.” Investigators have been tracking PlugWalkJoe because he is thought to have been involved in multiple SIM swapping attacks over the years that preceded high-dollar bitcoin heists.

Archived copies of the @Shinji account on twitter shows one of Joe’s OG Instagram accounts, “Dead.”

Now look at the profile image in the other Archive.org index of the @shinji Twitter account (pictured below). It is the same image as the one included in the @Shinji screenshot above from Wednesday in which Joseph/@Shinji was tweeting out pictures of Twitter’s internal tools.

Image: Archive.org

This individual, the source said, was a key participant in a group of SIM swappers that adopted the nickname “ChucklingSquad,” and was thought to be behind the hijacking of Twitter CEO Jack Dorsey‘s Twitter account last year. As Wired.com recounted, @jack was hijacked after the attackers conducted a SIM swap attack against AT&T, the mobile provider for the phone number tied to Dorsey’s Twitter account.

A tweet sent out from Twitter CEO Jack Dorsey’s account while it was hijacked shouted out to PlugWalkJoe and other Chuckling Squad members.

The mobile industry security source told KrebsOnSecurity that PlugWalkJoe in real life is a 21-year-old from Liverpool, U.K. named Joseph James Connor. The source said PlugWalkJoe is in Spain where he was attending a university until earlier this year. He added that PlugWalkJoe has been unable to return home on account of travel restrictions due to the COVID-19 pandemic.

The mobile industry source said PlugWalkJoe was the subject of an investigation in which a female investigator was hired to strike up a conversation with PlugWalkJoe and convince him to agree to a video chat. The source further explained that a video which they recorded of that chat showed a distinctive swimming pool in the background.

According to that same source, the pool pictured on PlugWalkJoe’s Instagram account (instagram.com/j0e) is the same one they saw in their video chat with him.

If PlugWalkJoe was in fact pivotal to this Twitter compromise, it’s perhaps fitting that he was identified in part via social engineering. Maybe we should all be grateful the perpetrators of this attack on Twitter did not set their sights on more ambitious aims, such as disrupting an election or the stock market, or attempting to start a war by issuing false, inflammatory tweets from world leaders.

Also, it seems clear that this Twitter hack could have let the attackers view the direct messages of anyone on Twitter, information that is difficult to put a price on but which nevertheless would be of great interest to a variety of parties, from nation states to corporate spies and blackmailers.

This is a fast-moving story. There were multiple people involved in the Twitter heist. Please stay tuned for further updates. KrebsOnSecurity would like to thank Unit 221B for their assistance in connecting some of the dots in this story.

Kubernetes Security Challenges, Risks, and Attack Vectors

The IT world is changing rapidly as containers and Kubernetes (K8s) become increasingly popular. In just seven years, we’ve moved from a virtual machine to containers and then to a container orchestration platform (the first Docker release launched in 2013). While some startups are still in the process of learning how these new resources can serve them, some of the more senior companies are looking into migrating their legacy systems to more efficient infrastructures.

While the rapid adoption of containers and Kubernetes shows just how disruptive these technologies have been, they have also led to new security problems. Their widespread popularity and the many organizations without proper security measures in place have made containerization and Kubernetes the perfect target for attackers.

A K8s cluster is a set of machines managed by a master node (and its replicas). It can span over thousands of machines and services and can thus become a prime attack vector. Adopting strict security practices is therefore crucial.

Securing Your Cluster

There are many moving parts within the Kubernetes cluster that must be properly secured. The security of the cluster, of course, cannot be achieved in a single process. Rather, ensuring the security of the entire cluster involves a number of best practices and requires a competent security team.

Below, we’ll cover a number of different Kubernetes attack vectors along with best practices for keeping your K8s cluster secure.

Ensuring Kubernetes and Its Nodes Are Up to Date

K8s is an open-source system that is continuously updated. Its GitHub repository is one of the platform’s most active repositories. As such, new features, refinements, and security updates are constantly being introduced.

Every four months, a new major Kubernetes version is released. Each new version includes new features to improve the service, but that may also introduce new security issues or bugs—something every software is susceptible to, especially if frequently updated.

Security breaches can be found in older versions too, however. Understanding how the Kubernetes team handles security updates in older versions is therefore critical. Unlike Linux distribution or other platforms, Kubernetes does not have an LTS version; rather, the Kubernetes system attempts to backport security issues to the three most recent major versions launched.

It is therefore vital to keep your cluster in one of the three most recent major versions, to keep on top of security patches, and to plan updates to the latest major version at least every twelve months.

Beyond its main components, Kubernetes also handles nodes that run the workload assigned to the cluster. These nodes can be physical or virtual machines with an operating system running on them. Each node is a potential attack vector that must be updated to address any security issues. The nodes must therefore be as clean as possible to reduce the attack surface.

Limit User Access

Role-based access control (RBAC) is one of the best ways to control who and how users have access to the cluster. It allows a fine-grained permission set to define each user’s permission. The rules are always additive, so any permission must be explicitly set. With RBAC, it is possible to restrict access permissions (view, read, or write) to each Kubernetes object, from pods (the smallest K8s computing unity) to namespaces.

RBAC can also be attached to another directory service using OpenID connect tokens. This allows users and group management to be defined in a centralized way to be used more widely within the organization.

Access permission is not only restricted to Kubernetes. Sometimes, users may need to access a cluster node to identify problems, for example. In such cases, it is better to create temporary users for solving these problems and then deleting them.

Best Practices for Containers

Docker, the most prominent container technology, is made up of layers: the innermost layer is the most primitive structure, while the outer layer is the most specific. Thus, all Docker images begin with some type of distribution or language support, with each new layer adding or modifying the previous functionality until the very last layer. The container should then have everything it requires to spin up the application.

These layers (also called images) may be available publicly in Docker Hub or privately in another image registry. The image can be expressed in two forms: as a name plus a label (e.g., node:latest) or with its immutable SHA identifier (e.g., sha256:d64072a554283e64e1bfeb1bb457b7b293b6cd5bb61504afaa3bdd5da2a7bc4b for the same image at the moment of writing).

The image associated with the label can be changed at any time by the repository owner; thus, the latest tag indicates the latest version available. It also means that when building a new image or running an image with a tag, the inner layer can change suddenly, without any notice.

This strategy of course poses some problems: (1) You lose control of what is running in your Kubernetes instance, as an upper layer can be updated and add a conflict, or (2) the image can be intentionally modified to introduce a security breach.

To prevent the first issue, avoid using the latest tag, and opt for a more version-specific tag (e.g., node:14.5.0). And to avoid this second problem, opt for official images, clone the image to your private repository, or use the SHA value.

Another approach is using a vulnerability detection tool to continuously scan the images used. These tools can run together with continuous integration pipelines and can monitor the image repository to identify previously undetected issues.

When building a new image, it’s important to remember that each image should contain only one service. The entire image should be built so that it has only the dependencies needed for that application and nothing else. This reduces the attack surface to only the components essential to the service. Having only one application per image also makes it easier to update to a new version and to allocate resources in the orchestrator.

Network Security

The previous section was all about reducing the attack surface, and the same applies to networking. Kubernetes contains virtual networks inside the cluster that can restrict access between pods and allow external access so that only permitted services can be accessed. It is a primitive solution that works well in small clusters.

But bigger clusters that contain several services developed by different teams are far more complex, and a centralized approach may be impossible to manage. In such cases, service meshes are currently the best available method. The service mesh creates a network encryption layer that allows services to communicate with each other securely. They usually work as a sidecar agent that is attached to each pod and provides communication between services. Service meshes are not only about security; they also enable service discovery, monitoring/tracing/logging, and avoid service interruption by applying a circuit breaking pattern, for example.

Establishing Resource Quotas

Because applications are updated all the time, implementing the above means for securing your cluster are on their own insufficient, as there is still risk of a security breach.

Using resource quotas, in which Kubernetes limits outage coverage to the established constraints, is another important step. If the constraints are well designed, they will prevent all cluster services from becoming unavailable due to resource exhaustion.

They can also prevent you from racking up a massive cloud bill at the end of the month.

Monitoring and Logging

Monitoring the cluster, from cluster to pods, is essential for discovering outages and pinpointing their cause. It is all about detecting anomalous behavior. If the network traffic has increased or the nodes’ CPU is acting differently, this requires further investigation to rule out any issues. While monitoring is more about metrics such as CPU, memory, and networking, logging can provide additional (historical) information that can help detect unusual patterns or quickly identify the source of the problem.

Prometheus and Graphana combined are effective tools for Kubernetes monitoring. Prometheus is a highly performant time-series database, while Graphana is a graphical dashboard that can read Prometheus data and provide easy-to-view dashboards.

ElasticSearch is another useful tool and also one of the most popular for providing near real-time centralized logging of the application, nodes, and Kubernetes itself.

Cloud vs. On-Premises: The Security Perspective

A Kubernetes installation can be either on-premises or can use a cloud management service. In the on-premises scenario, every configuration—spinning up new machines, setting up networking, and securing the application—must be deployed manually. Cloud managed services such as Google GKE, AWS EKS, or Azure AKS enable K8s to be installed with minimal configuration and are compatible with other services from the cloud provider.

From a security perspective, on-premises solutions demand much more attention. As noted previously, every new update must be downloaded and configured by the system, and the nodes must be updated as well. It is therefore recommended that only an experienced team deploy on-premises Kubernetes.

With cloud management services, on the other hand, the process is far simpler, as Kubernetes is already installed and the cloud vendor keeps all nodes updated with the latest security features. From the cluster perspective, most cloud providers allow the user to choose the K8s version from a set and also provide ways to update it to a new version. And so, while it is more straightforward, there is also less flexibility.

Final Notes

With continuous updates and the flood of new tools on the market, staying up to date and keeping on top of vulnerabilities can be challenging. Breaches are inevitable. With Kubernetes, the challenge is even greater, as it is more than just a tool. Rather, Kubernetes is a set of tools that manages other tools, machines, and networks, and its security is therefore essential.

But with so many moving parts, keeping your Kubernetes secure is no trivial task, so be sure to follow these guidelines:

  • Scan applications running on K8s for security issues.
  • Limit and control access.
  • Ensure everything is patched with the latest security updates and continuously monitor the cluster to address outages immediately to mitigate the damage.

The challenge is even greater with on-premises deployments, where there is real hardware to manage, automations to create, and more software to keep updated. But following the best practices discussed herein can give you a major security advantage and help keep your Kubernetes environment safe and running.

The SentinelOne Platform supports physical and virtual machines, Docker, self-managed Kubernetes, and cloud service provider managed Kubernetes like AWS EKS. To find out more, request a free demo today.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Verizon partners with Airtel to launch BlueJeans in India

Bharti Airtel announced on Tuesday it has partnered with Verizon* to launch BlueJeans video-conferencing service in India to serve business customers in the world’s second largest internet market.

The video conferencing service, branded as Airtel BlueJeans in India, offers “enterprise-grade security” (which includes encrypted calls, ability to lock and password protect a meeting and generate randomized meeting IDs), a cloud point presence in India to enable low latency, HD video and Dolby Voice, and can accommodate up to 50,000 participants on a call.

Gopal Vittal, chief executive of Airtel, said in a call with reporters Tuesday that the Indian telecom operator is exploring ways to bring Airtel BlueJeans to home customers as well, though he cautioned that any such offering would take at least a few weeks to hammer out.

Airtel BlueJeans is being offered to businesses at no charge for the first three months, after which the video conferencing service will be offered at a “very competitive” price, said Vittal. Airtel will offer customized pricing plans for large businesses and small businesses, he added.

Airtel, the third largest telecom operator in India with 300 million subscribers, already maintains a partnership with G Suite and Cisco Webex, and Zoom. However, Vittal said that its collaboration with Verizon was “special” and enabled it to host data in India itself.

Verizon acquired BlueJeans in April this year. At the time, BlueJeans had over 15,000 business customers. Hans Vestberg, chief executive of Verizon, said on Tuesday that the American telecom giant was hopeful that Airtel BlueJeans would make major inroads in the Indian market, though he declined to share any figures.

Vestberg said Verizon is open to extending this partnership with Airtel to serve the Indian telecom operator’s business in African market, though both are currently focused on serving clients in India.

Tuesday’s announcement comes as video conferencing services have gained impressive momentum in India in recent months. Zoom app, which is also available to consumers, has already amassed over 35 million monthly active users in the country, according to mobile insights firm App Annie — data of which an industry executive shared with TechCrunch.

Reliance Jio Platforms, the top telecom operator in India with nearly 400 million subscribers, launched its video conferencing service JioMeet earlier this month. JioMeet is currently available to both consumers and business customers at no charge and a session on the service can last for up to 24 hours.

“We know we are not the first to launch a video conferencing in India, but we are confident that our differentiated offerings and brand value would stand out,” said Vittal.

Airtel BlueJeans, which includes BlueJeans’ Meetings, Events, Rooms, and Gateway for Microsoft Teams functionalities, will go live in India Tuesday evening.

*Verizon is TechCrunch’s parent company.

Google Cloud’s new BigQuery Omni will let developers query data in GCP, AWS and Azure

At its virtual Cloud Next ’20 event, Google today announced a number of updates to its cloud portfolio, but the private alpha launch of BigQuery Omni is probably the highlight of this year’s event. Powered by Google Cloud’s Anthos hybrid-cloud platform, BigQuery Omni allows developers to use the BigQuery engine to analyze data that sits in multiple clouds, including those of Google Cloud competitors like AWS and Microsoft Azure — though for now, the service only supports AWS, with Azure support coming later.

Using a unified interface, developers can analyze this data locally without having to move data sets between platforms.

“Our customers store petabytes of information in BigQuery, with the knowledge that it is safe and that it’s protected,” said Debanjan Saha, the GM and VP of Engineering for Data Analytics at Google Cloud, in a press conference ahead of today’s announcement. “A lot of our customers do many different types of analytics in BigQuery. For example, they use the built-in machine learning capabilities to run real-time analytics and predictive analytics. […] A lot of our customers who are very excited about using BigQuery in GCP are also asking, ‘how can they extend the use of BigQuery to other clouds?’ ”

Image Credits: Google

Google has long said that it believes that multi-cloud is the future — something that most of its competitors would probably agree with, though they all would obviously like you to use their tools, even if the data sits in other clouds or is generated off-platform. It’s the tools and services that help businesses to make use of all of this data, after all, where the different vendors can differentiate themselves from each other. Maybe it’s no surprise then, given Google Cloud’s expertise in data analytics, that BigQuery is now joining the multi-cloud fray.

“With BigQuery Omni customers get what they wanted,” Saha said. “They wanted to analyze their data no matter where the data sits and they get it today with BigQuery Omni.”

Image Credits: Google

He noted that Google Cloud believes that this will help enterprises break down their data silos and gain new insights into their data, all while allowing developers and analysts to use a standard SQL interface.

Today’s announcement is also a good example of how Google’s bet on Anthos is paying off by making it easier for the company to not just allow its customers to manage their multi-cloud deployments but also to extend the reach of its own products across clouds. This also explains why BigQuery Omni isn’t available for Azure yet, given that Anthos for Azure is still in preview, while AWS support became generally available in April.

NS1 nets $40M ‘true coronavirus fundraise’ amidst surging customer demand

Apparently, the internet is still popular.

With the novel coronavirus marooning people at home for work and play, those “tubes” carrying our data back and forth have become ever more important to our livelihoods. Yet while we often as consumers think of the internet as what we buy from a service provider like Spectrum or TechCrunch’s parent company Verizon, the reality is that businesses need key network services like DNS and IP Address Management in order to optimize their performance and costs.

That’s where New York City-based NS1 has done particularly well. My colleague Ron Miller first covered the company and its founding story for us two years ago, as part of our in-depth look at the New York City enterprise software ecosystem. Fast forward two years, and NS1 couldn’t be doing better: in just the first quarter of this year, new customer bookings were up 159% year over year according to the company, and it currently serves 600 customers.

That traction in a critical infrastructure segment of the market attracted the attention of even more growth capital. Today, the company announced that Energy Impact Partners, which has traditionally invested in sustainable energy startups but has recently expanded into software and internet services, is leading a $40 million Series D round into the startup, bringing its total fundraising to date to $125 million. The round was led by Shawn Cherian, a partner at EIP who just joined the firm at the beginning of June (nothing like getting a deal done your first day on the job).

Kris Beevers, cofounder and CEO of NS1, said that COVID-19 has had a huge impact on the startup’s growth the past few months. “For example, [a] large software customer of ours [said] that our number two KPI for our coronavirus task force is network performance and saturation as managed by NS1.” Customers have made network management significantly higher priority since degradations in latency and reliability can dramatically limit a service’s viability for stay-at-home workers and consumers.

NS1’s Founding Team

“The quip that I have used a few times recently is digital transformation initiatives have compressed from five or ten years down to months or a year at this point. Everybody’s just having to accelerate all of these things,” Beevers said.

The company has doubled down on its key tools like DNS and IP management, but it has also launched new features using feedback from customers. “For example, we launched a VPN steering capability to help our customers optimize their VPN footprints because obviously those suddenly are more important than they’ve ever been,” he said. Virtual Private Networks (VPNs) allow employees to login to their company’s network as if they were physically present in the office.

While NS1 had money in the bank and increasing appetite from customers, the company was also starting a fundraise in the middle of a global pandemic. Beevers said that it was hard at first to get momentum. “April was a dead zone,” he said. “All the VCs were sort of turtle up.”

The tide began to turn by early May as VCs got a handle on their portfolios and started to survey where the opportunities were in the market given the lessons of the early days of COVID-19. “We actually started to get a huge amount of inbound interest in early May timeframe,” he said.

“Call it like a true coronavirus fundraise,” Beevers explained. It was “end to end like less than a month getting to know [Cherian] to term sheet, and all virtual. Partner meeting was all virtual, diligence all virtual. Not a single in-person interaction in the whole fundraising process, and that was the case with everybody else who was involved in the round too, so all the folks that didn’t in the end write the winning term sheet.”

What made Cherian stand out was Energy Impact Partners’ portfolio, which touches on energy, industry and IoT — sectors that are increasingly being digitized and need the kind of internet infrastructure services that NS1 provides. Also, Cherian led a round into Packet, which is a fellow NYC enterprise company that sold to Equinox for more than $300 million. Packet’s founder Zac Smith and Beevers worked together at Voxel and are part of the so-called “Voxel mafia” of infrastructure engineers in Manhattan.

With the new funding, NS1 intends to continue to expand its traction in the network layer while also doubling down on new markets like IoT.

Zoom introduces all-in-one home communications appliance for $599

Zoom has become the de facto standard for online communications during the pandemic, but the company has found that it’s still a struggle for many employees to set up the equipment and the software to run a meeting effectively. The company’s answer is an all-in-one communications appliance with Zoom software ready to roll in a simple touch interface.

The device, dubbed the Zoom for Home – DTEN ME, is being produced by partner DTEN. It consists of a standalone 27-inch screen, essentially a large tablet equipped with three wide-angle cameras designed for high-resolution video and 8 microphones. Zoom software is pre-loaded on the device and the interface is designed to provide easy access to popular Zoom features.

Zoom for Home – DTEN ME with screen sharing on. Image Credits: Zoom

Jeff Smith, head of Zoom Rooms, says that the idea is to offer an appliance that you can pull out of the box and it’s ready to use with minimal fuss. “Zoom for Home is an initiative from Zoom that allows any Zoom user to deploy a personal collaboration device for their video meetings, phone calls, interactive whiteboard annotation — all the good stuff that you want to do on Zoom, you can do with a dedicated purpose-built device,” Smith told TechCrunch.

He says this is designed with simplicity in mind, so that you pull it out of the box and launch the interface by entering a pairing code on a website on your laptop or mobile phone. Once the interface appears, you simply touch the function you want, such as making a phone call or starting a meeting, and it connects automatically.

Image Credits: Zoom

You can link it to your calendar so that all your meetings appear in a sidebar, and you just touch the next meeting to connect. If you need to share your screen it includes ultrasonic pairing between the appliance and your laptop or mobile phone. This works like Bluetooth, but instead of sending out a radio signal, it sends out a sound between 18 and 22 kHz, which most people can’t hear, to connect the two devices, Smith said.

Smith says Zoom will launch with two additional partners, including the Neat Bar and the Poly Studio X Series, and could add other partners in the future.

The DTEN appliance will cost $599 and works with an existing Zoom license. The company is taking pre-orders and the devices are expected to ship next month.

Sumeru Equity Partners buys majority stake in SocialChorus with $100M investment

SocialChorus, a startup that helps distribute communications internally in a similar way marketers reach customers externally, announced a $100 million investment today led by Sumeru Equity Partners. With this investment, the firm has bought a majority stake in the company. As part of today’s deal, Sumeru will be adding three members to the SocialChorus board.

Sumeru Equity Partners is making a majority investment in the company but also well capitalizing the business for future growth,” Mark Haller, principal at Sumeru told TechCrunch.

The company previously raised $47 million, according to Crunchbase data. Haller says this is not a buyout, so much as a partnership with those previous investors. “We’re seeing continued partnership with existing investors and we’re coming in and making that majority investment, and we’ll also be making another investment in the balance sheet,” he said.

What Sumeru is getting is a company that helps with internal communications using marketing techniques, says company CEO Gary Nakamura. “You can run campaigns with targeting segmentation and all the telemetry back that you need as a leader, as a manager, as an organization to understand how your communications are landing with your workforce,” Nakamura told TechCrunch.

The target is large companies and customers, including big names like Ford, Archer Daniels Midland and Boeing. The company reports it has 120 large customers around the world, and the business has been growing at 50% year over year.

While the company is getting this infusion of cash from Sumeru, Nakamura says he will continue to try to manage the company in a thoughtful way, and that means being careful about how they hire beyond the 120 employees the company already has.

“What we have built is a business that doesn’t require a lot of heads to run it. We can maintain a 50% growth rate with financial discipline that we’ve implemented. Historically that is what we’ve been able to do,” he said.

Sumeru Equity Partners is a private equity firm based in San Francisco. It targets mid-market companies, according to the company website, and then tries to apply operational efficiency by working with them on areas like product strategy, go-to-market acceleration and organizational development, with the goal of building up the company and taking it to exit.