Skip to main content
banner image
venafi logo

Advanced Policy Control and Compliance for Cloud Native Machine Identities

Advanced Policy Control and Compliance for Cloud Native Machine Identities

cloud-native-machine-identity-policy-and-compliance
January 25, 2022 | Richard Collins, Jetstack

As Kubernetes becomes the new standard for the development and deployment of cloud hosted applications, InfoSec teams need to own everything around cloud native machine identity security. A recent cloud native security survey highlighted that 94% of companies operating Kubernetes clusters in production experienced a security incident in the last 12 months with the most common vulnerabilities relating to a certificate misconfiguration.

Discover Thousands of Integrations Made Possible with the Venafi Technology Network. Start now.

Jetstack, a Venafi company, has announced that its flagship product for cloud native machine identity management, Jetstack Secure, now has tighter integration with Venafi Trust Protection Platform (TPP). This combined solution means Venafi customers can use Jetstack Secure to apply the same policy-driven security controls across both modern Kubernetes and traditional infrastructure and maintain FIPS compliance if needed. InfoSec teams can use their current TPP solution and extend security policy to manage access to public and private CAs, and monitor machine identities across platforms built using Kubernetes or OpenShift. 

Using Jetstack Secure, Venafi TPP customers can now:

  • Obtain vital visibility of X.509 certificates and their configuration status across Kubernetes/OpenShift clusters
  • Build a security posture to identify and mitigate threats that specifically target vulnerabilities in cloud native environments
  • Enforce security policies without slowing developer teams deploying workloads on ever faster release cycles
  • Ensure full operational FIPS 140-2 compliance of cert-manager across cloud native environments
Cloud native visibility with Jetstack Secure

Jetstack Secure extends TPP to provide in-depth visibility of certificate configurations in Kubernetes and OpenShift clusters. The combined solution will discover and report all X.509 certificates, whether they are public trusted certificates used for ingress endpoints or certificates used to secure microservices using private PKI. Using Jetstack Secure, InfoSec can deliver consistent security approaches for developers and have full visibility and control of each machine identity across the whole platform.

 To see how this works, this video demo from Jetstack explains how TPP integrates with Jetstack Secure to instantly discover certificates operating in cloud native environments.

Cloud native control with Jetstack Secure

The inherent nature of modern developer-led automation is driving huge usage both for public and private certificates. Venafi TPP integration with Jetstack Secure will align and enforce security policy controls for cloud native developer teams by proactively monitoring access to CAs and sub-CAs. It will prevent operational and security risks caused by manually signed certificates, as well as other certificate misconfigurations. In modern environments where the scale of certificates is growing fast, Jetstack Secure gives developer teams a consistent basis to deploy workloads securely, where certificate requests are automated alongside effective PKI controls to ensure a validated and auditable chain of trust exists for every workload deployed to a Kubernetes cluster.

Jetstack Secure is especially relevant for Venafi Trust Protection Platform customers whose core operation is extending from traditional on-premise infrastructure and embracing modern Kubernetes and OpenShift cloud native technology. 

Built with cert-manager 

Jetstack is the company behind cert-manager, the highly successful cloud native open source project that has become the industry standard for fully automating machine identities in cloud native environments. Cert-manager became a CNCF project in November 2020.

It is now extremely common for large company platform teams to be actively deploying cert-manager to clusters to automate the issuance and renewal of X.509 certificates. Jetstack Secure builds on cert-manager to provide a comprehensive cloud native machine identity solution for enterprises that are deploying cert-manager across multiple production clusters. Using Jetstack Secure to deploy cert-manager to clusters hardens the organization’s security posture by building-in consistency and security. It provides a means to scale cloud native infrastructure ​​with multi-cluster visibility of each machine identity, including alerts for when misconfigurations are detected with remediation advice for SRE teams.

Zero Trust cloud native security using a service mesh

As cloud-native infrastructure grows, many large companies are deploying a service mesh solution to underpin Zero Trust architectures and enforce workload security for fast-growing multi-cluster environments. For example, Istio is a popular, fully-featured service mesh with a rich set of capabilities for traffic routing, policy control, and observability. Cert-manager is regularly deployed with Istio to ensure integration with enterprise PKI by supporting CAs that are already in production, including HashiCorp Vault. With Jetstack Secure, security tems can enforce security policy using Vault to ensure a validated root of trust for all workload identities using the service mesh and use the TPP integration for auditing and visibility of these signed certificates. 

Cloud native FIPS compliance using Jetstack Secure

As customers' platform operations adopt cloud native infrastructure, compliance applies equally to the modern platform infrastructure in the same way it holds for the traditional infrastructure. Jetstack Secure supports FIPS 140-2 compliant builds of cert-manager to meet US Government requirements for information security and processing using cryptographic technology. This is important for companies that are progressively using cert-manager as part of their Kubernetes operation and are supplying services directly to US Government agencies. 

As Kubernetes adoption increases and clusters spin up across an enterprise, misconfiguration and out-of-date software can present significant security risks. With Jetstack Secure, companies can easily achieve operational consistency of these critical software components with hardened and secure builds of cert-manager that are not only FIPS 140-2 compliant but also signed directly by Jetstack. When each individual cluster is running the exact same hardened version of cert-manager, the security posture is improved, since all private and public certificate configurations are proactively managed by Jetstack Secure to prevent security vulnerabilities. This gives platform teams certainty and consistency by standardizing cert-manager from Jetstack Secure across all clusters, whilst meeting important security requirements from InfoSec which are all reported back to the TPP solution.

 To learn more about Jetstack Secure visit the product page. Platform teams using cert-manager can connect a cluster for free and gain instant access to the Jetstack Secure solution interface to proactively monitor ingress and certificate configurations.

Related Posts

Like this blog? We think you will love this.
kubernetes-wheel
Featured Blog

Increase Security for Private Workloads Using Isolated Issuers in Hardened Environments

The challenges for security pol

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Richard Collins, Jetstack
Richard Collins, Jetstack
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more