As Kubernetes becomes the new standard for the development and deployment of cloud hosted applications, InfoSec teams need to own everything around cloud native machine identity security. A recent cloud native security survey highlighted that 94% of companies operating Kubernetes clusters in production experienced a security incident in the last 12 months with the most common vulnerabilities relating to a certificate misconfiguration.
Jetstack, a Venafi company, has announced that its flagship product for cloud native machine identity management, Jetstack Secure, now has tighter integration with Venafi Trust Protection Platform (TPP). This combined solution means Venafi customers can use Jetstack Secure to apply the same policy-driven security controls across both modern Kubernetes and traditional infrastructure and maintain FIPS compliance if needed. InfoSec teams can use their current TPP solution and extend security policy to manage access to public and private CAs, and monitor machine identities across platforms built using Kubernetes or OpenShift.
Using Jetstack Secure, Venafi TPP customers can now:
Jetstack Secure extends TPP to provide in-depth visibility of certificate configurations in Kubernetes and OpenShift clusters. The combined solution will discover and report all X.509 certificates, whether they are public trusted certificates used for ingress endpoints or certificates used to secure microservices using private PKI. Using Jetstack Secure, InfoSec can deliver consistent security approaches for developers and have full visibility and control of each machine identity across the whole platform.
To see how this works, this video demo from Jetstack explains how TPP integrates with Jetstack Secure to instantly discover certificates operating in cloud native environments.
The inherent nature of modern developer-led automation is driving huge usage both for public and private certificates. Venafi TPP integration with Jetstack Secure will align and enforce security policy controls for cloud native developer teams by proactively monitoring access to CAs and sub-CAs. It will prevent operational and security risks caused by manually signed certificates, as well as other certificate misconfigurations. In modern environments where the scale of certificates is growing fast, Jetstack Secure gives developer teams a consistent basis to deploy workloads securely, where certificate requests are automated alongside effective PKI controls to ensure a validated and auditable chain of trust exists for every workload deployed to a Kubernetes cluster.
Jetstack Secure is especially relevant for Venafi Trust Protection Platform customers whose core operation is extending from traditional on-premise infrastructure and embracing modern Kubernetes and OpenShift cloud native technology.
Jetstack is the company behind cert-manager, the highly successful cloud native open source project that has become the industry standard for fully automating machine identities in cloud native environments. Cert-manager became a CNCF project in November 2020.
It is now extremely common for large company platform teams to be actively deploying cert-manager to clusters to automate the issuance and renewal of X.509 certificates. Jetstack Secure builds on cert-manager to provide a comprehensive cloud native machine identity solution for enterprises that are deploying cert-manager across multiple production clusters. Using Jetstack Secure to deploy cert-manager to clusters hardens the organization’s security posture by building-in consistency and security. It provides a means to scale cloud native infrastructure with multi-cluster visibility of each machine identity, including alerts for when misconfigurations are detected with remediation advice for SRE teams.
As cloud-native infrastructure grows, many large companies are deploying a service mesh solution to underpin Zero Trust architectures and enforce workload security for fast-growing multi-cluster environments. For example, Istio is a popular, fully-featured service mesh with a rich set of capabilities for traffic routing, policy control, and observability. Cert-manager is regularly deployed with Istio to ensure integration with enterprise PKI by supporting CAs that are already in production, including HashiCorp Vault. With Jetstack Secure, security tems can enforce security policy using Vault to ensure a validated root of trust for all workload identities using the service mesh and use the TPP integration for auditing and visibility of these signed certificates.
As customers' platform operations adopt cloud native infrastructure, compliance applies equally to the modern platform infrastructure in the same way it holds for the traditional infrastructure. Jetstack Secure supports FIPS 140-2 compliant builds of cert-manager to meet US Government requirements for information security and processing using cryptographic technology. This is important for companies that are progressively using cert-manager as part of their Kubernetes operation and are supplying services directly to US Government agencies.
As Kubernetes adoption increases and clusters spin up across an enterprise, misconfiguration and out-of-date software can present significant security risks. With Jetstack Secure, companies can easily achieve operational consistency of these critical software components with hardened and secure builds of cert-manager that are not only FIPS 140-2 compliant but also signed directly by Jetstack. When each individual cluster is running the exact same hardened version of cert-manager, the security posture is improved, since all private and public certificate configurations are proactively managed by Jetstack Secure to prevent security vulnerabilities. This gives platform teams certainty and consistency by standardizing cert-manager from Jetstack Secure across all clusters, whilst meeting important security requirements from InfoSec which are all reported back to the TPP solution.
To learn more about Jetstack Secure visit the product page. Platform teams using cert-manager can connect a cluster for free and gain instant access to the Jetstack Secure solution interface to proactively monitor ingress and certificate configurations.