Sold. Out. For the first time ever, KubeCon Europe 2023 was sold out (in a venue that can hold about 10,000 people!), and the excitement there was contagious. As a repeat attendee, I couldn’t believe how much the conference has grown since I first started attending. I really noticed it last year at Valencia, the first return to a live conference since the pandemic, when there were more attendees than ever before. And this year blew those numbers out of the water. It struck me particularly because Amsterdam, where the conference was hosted, was supposed to be the host city for KubeCon 2020, which went fully virtual instead due to the pandemic. Now that we’ve officially returned to live conferences, I see it as a bit of a comeback story, where we finally got to have the huge, exciting KubeCon we’d planned on for that year.
More than that, I think the growth of KubeCon has shown the increased prevalence of cloud-native technology like Kubernetes across the globe. The Cloud Native Computing Foundation (CNCF), which helps host KubeCon, found in their 2022 Annual Survey that 44% of respondents were using containers for most or all production applications and business segments throughout their organization. Containerization and cloud-native technology have become the new normal, and that shows with the number of attendees at this year’s conference.
Identity Security Arrives in a Big Way
But what really struck me, as someone working in the DevSecOps space, was the growth of security, and identity as a critical factor, within the conference. When I first attended KubeCon, there were maybe one or two sessions on security, with the majority of the sessions instead focused on development-related topics. This year, security had its own track – “Security + Identity” – with a number of well-attended sessions. In fact, the co-located security-focused event that typically takes place before KubeCon actually had to split off from the conference and become a separate event as it had grown so large (over 1,000 people attended CloudNativeSecurityCon in Seattle earlier this year).
It’s really cool for me to see that security – particularly Identity Security – mature as a key topic of discussion for cloud-native developers. In years past, developers typically didn’t take much of an interest in security, and security teams often had a hard time getting involved in development workflows. But with the rise of DevSecOps (78% of respondents in the Red Hat 2022 State of Kubernetes Security report said they had a DevSecOps initiative in either beginning or advanced stages), all that has changed. Security has shifted left to become more embedded earlier on in the development lifecycle, and developers are taking an interest in how to build security into their code. And more and more, that security starts with identity, particularly as non-human identities become more prevalent in organizations.
We were honored to be invited to give a lightning talk at the Red Hat booth during KubeCon. Arron Thundercliffe and I spoke about identity security for Kubernetes and secrets management, and it was great to see the interest from the people who stopped by the booth.
Speaking of Identity Security, let’s take a look at some of my favorite sessions from that track and some key lessons I learned.
It was again unusual to see not one (or zero) but two sessions specifically dedicated to secrets management. These sessions covered important secrets management best practices such as creating a secure lifecycle for storing, sharing and consuming secrets within Kubernetes, as well as integrating secrets securely and seamlessly into code. The lines between security and developers have often blurred when it comes to secrets management – who owns the management of the secret? – and it was great to see that topic get some extra attention at KubeCon.
Zero Trust, Least Privilege and Role-based Access Controls
There are three topics I wouldn’t have expected to see at KubeCon five years ago. They’re all terms that are well known in the security community, and the fact that there are multiple sessions dedicated to them just shows the growing collaboration between developers, security and operations in our digital-first world. Security teams want to understand developers and ensure they have a good experience, and developers want to learn more about security when previously they may have shied away from the topic. By ensuring they’re following principles such as Zero Trust, least privilege and role-based access controls, developers can play a key role building applications securely.
Software Supply Chain Security
Speaking of building applications securely, there were also several sessions dedicated to software supply chain security. It’s obviously been a hot topic given the large breaches that have occurred in recent years – think CircleCI, Uber and, of course, SolarWinds. It goes to show how identities (and the need to secure them) have started to become integrated into the very fabric of code. We’ve come a long way from preaching the benefits of shifting security left – now developers are building in Identity Security into their code from the very beginning.
Developers have become an important link in the chain when it comes to protecting the software supply chain, as they have a role in selecting the components used to build software. You see this new shift in thinking with the focus on SBOMs in several of the sessions. A SBOM, or software bill of materials, is, according to CISA, “a nested inventory, a list of ingredients that make up software components.” This tool helps DevSecOps teams gain visibility into all the components of their applications and also verify them. Code libraries used will be signed off on as “trusted,” which can help prevent problems down the road such as malicious code injections that can compromise the entire CI/CD pipeline.
Identity Security Is Here to Stay for Developers
The shift in focus and greater attention paid to Identity Security at KubeCon Europe 2023 has been coming for a long time, but it was great to experience the excitement of developers for cybersecurity topics in person. As we see non-human identities start to take on more roles that humans used to own (think about AI-powered tools helping write code), Identity Security will only become more critical for developers to familiarize themselves with so they can ensure their building blocks of code are secure across their pipelines. Many of the tried-and-true principles that security teams have operated under – Zero Trust, least privilege, RBAC – still apply, just to a new audience with new needs and skill sets. I’m looking forward to seeing the evolution of Identity Security from a developer’s point of view at KubeCon 2024.
If you’re interested in learning more about how CyberArk can help you secure your Kubernetes environments, check out our interactive tutorial on securing secrets in Kubernetes.
John Walsh has served the realm as a lord security developer, product manager and open source community manager for more than 15 years, working on cybersecurity products such as Conjur, LDAP, Firewall, JAVA Cyptography, SSH, and PrivX. He has a wife, two kids, and a small patch of land in the greater Boston area, which makes him ineligible to take the black and join the Knight’s Watch, but he’s still an experienced cybersecurity professional and developer.