Creation of custom policies, full system configuration portability, in-depth audit of the control plane cluster and supply chain attack prevention – the new release of Kaspersky’s security solution for containerised environments accelerates development and compliance workflows while safeguarding infrastructure against sophisticated cyberthreats.
Containerisation is the new standard for modern software development. Its ability to boost developer productivity, decrease infrastructure costs and accelerate time-to-market has driven corporate adoption rates to 98% today. However, the operational speed and efficiency gained with this technology can be severely hindered by the rising volume and complexity of cyberattacks, alongside strict regulatory compliance demands. The latest update to Kaspersky Container Security (KCS) has been designed to help businesses address emerging challenges while maintaining the core advantages of container development.
KCS is a specialised, all-in-one solution that protects every stage of a containerised application’s lifecycle and is available for both on-premise installations and isolated networks. The new release makes it even more convenient and tailored to developers’ needs.
Custom security benchmarks, Dynamic Admission Controller (DAC) and assurance policies
Companies often rely on internal benchmarks and custom security regulations, frequently trusting their proprietary rules over built-in product defaults. Addressing this need, KCS now allows the creation of custom policies for image assurance, dynamic admission control (DAC) and security benchmarking.
Enabling users to implement unique, organisation-specific policies alongside out-of-the-box defaults reduces the workload on security teams, accelerates infrastructure integration and strengthens their overall security posture. Additionally, the ability to build custom security benchmark checks allows organisations to adapt faster to local compliance shifts or newly introduced regulatory requirements.
An import/export of system configuration
Users can now export the complete system configuration (including policies, agent groups, profiles and other settings) for backups or replication across other product instances. The exported file can be generated either as an encrypted package or in an open format for manual editing prior to import. The new import/export capability is especially valuable for large enterprises with complex, multi-site environments. If a subsidiary operates its own dedicated IT infrastructure independent of the parent company, a configuration file can be exported from the central office and imported locally by the subsidiary. This feature streamlines backup routines while simplifying the transfer of settings and policies across large-scale deployments for security specialists.
Expanded monitoring and advanced protection
Security agents are now supported on master nodes, enabling advanced control plane audits. This capability detects vulnerable configurations and potential compromises at the cluster’s critical orchestration layer, ensuring centralised security control of the entire infrastructure via the unified management console.
To mitigate supply chain risks, the new release introduces dedicated rules for detecting GitHub Actions misconfigurations. Such misconfigurations, including unsafe workflow triggers, improper handling of untrusted input data and insecure versioning policies, can allow attackers to hijack automated workflows, inject malicious code into production builds or compromise infrastructure keys. Security teams can detect and mitigate these risks during GitHub repository scanning, whether by embedding the KCS scanner into CI/CD workflows or operating it in standalone mode.
Additional enhancements introduced in the new KCS version include:
- 5x node-agent performance optimisation. The new implementation enables the processing of hundreds of rules with zero impact on the pod’s CPU and memory consumption.
- 10x DAC speed optimisation. An optional scan result caching feature has been added to the kube-agent side. This eliminates additional queries to the product core and accelerates DAC request.
- Access control for CI scan results. Users can now configure access to CI scan results in alignment with their organisation’s project visibility and isolation logic.
- Viewing SBOM in image analysis details. Scanned container images can now be exported as SBOM (Software Bill of Materials). It simplifies integration with vulnerability management tools and registries, ensuring full software supply chain traceability.
- Dynamic agent updates without redeployment. Instant group configuration changes eliminate node-agent pod redeploys and downtime, simplifying large-scale management. This enables real-time resource optimisation during peak loads, mitigating production disruption risks.
“We believe that container security must be as flexible and fast as containerization itself. The new capabilities in Kaspersky Container Security are built to match the needs of modern DevOps. For instance, the new GitHub Actions scanning feature catches vulnerabilities directly within the configuration code, allowing teams to identify and fix errors as early as possible, when it is most cost-effective and prevents missed deadlines”, comments Anton Rusakov-Rudenko, Senior Product Marketing Manager, Cloud & Network Security at Kaspersky. “This release helps to effectively bridge the gap between rapid deployment and strict compliance, protecting infrastructure against the latest cyberthreats, without operational overhead”.
For further information on Kaspersky Container Security, please follow the link.
Image Credit: Kaspersky
Source: Tahawul Tech