Red Hat Blog

To help government agencies and regulated industries embrace cloud-native innovation at scale while enhancing their security posture, we are pleased to announce the publication of the Security Technical Implementation Guide (STIG) from the Defense Information Systems Agency (DISA) for Red Hat OpenShift 4. The guide is available for download at the Department of Defense (DoD) Cyber Exchange. As containers continue to grow in adoption, the number of vulnerabilities and regulatory concerns has increased exponentially. According to Red Hat’s 2023 State of Kubernetes Security Report, 67% of re

This post series presents various forms of attestation for various Confidential Computing use cases. Confidential Computing is a set of technologies designed to protect data in use, for example using memory encryption. Data at rest (on disk) and data in transit (over the network) can already be protected using existing technologies. Attestation, generally speaking, is the process of proving some properties of a system. Attestation plays a central role in asserting that confidential systems are indeed confidential. This series focuses on four primary use cases: Confidential virtual mach

This is the second in a series of three blog posts focusing on Critical National Infrastructure (CNI) cybersecurity. This blog looks at the problem space through the lens of "People and Processes." As mentioned in the previous blog post, CNI cybersecurity is not just a technical problem—technology and tools can be enablers to help reduce risk, but you should also identify the "people and processes" required to put good security practices in place. "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology."

In today's rapidly evolving technology landscape, organizations increasingly embrace containerization to achieve greater scalability, portability, and efficiency in their application deployments. While containerization has its benefits, it also can present IT security challenges that must be addressed to improve the safety, confidentiality, and accessibility of containerized applications. As the use of cloud-native apps grows, improving the security posture of containers and Kubernetes becomes vital. In secure software supply chain practices, a comprehensive understanding of the open sourc

This is the first in a series of three blog posts focusing on United Kingdom Critical National Infrastructure (CNI) cybersecurity. Part 1 will focus on giving readers an overview of the problem space that CNI organizations face, Part 2 will explore the critical areas of People and Processes, and finally, Part 3 will concentrate on technology and identify where CNI organizations can reduce their risk through Red Hat technology, training, and services. All organizations across the globe are feeling the effects of increased cybersecurity attacks. Along with the growing number of attacks, the c

Our previous blog discussed the persistent volume challenges with peer-pods and how to resolve them. It also introduced using the CSI wrapper as a potential solution to the persistent volume usage challenges with peer-pods. This post dives deeper into the various components that make up the persistent volume solution in peer-pods. Interpreting the CSI plugins in peer-pods To use persistent volumes in peer-pods, intercept the CSI Plugins in the control plane (CSI Controller Plugin) and worker node (CSI Node Plugin) through the CSI Wrapper approach. With the CSI Wrapper injected into C

A lot of system administrators within the Department of Defense already use the Advanced Intrusion Detection Environment (AIDE). This is mainly because of a Security Technical Implementation Guide (STIG) that states that a file integrity checker must be configured to verify extended file attributes. There are a lot of features to AIDE, and the combination of using AIDE with Red Hat Ansible Automation Platform gives you the ability to automate important corrections to your system configuration. Telling AIDE what to check AIDE can be configured to check multiple file and folder attributes.

Peer-pods, also known as the Kata remote hypervisor, enable the creation of Kata Virtual Machines (VM) on any environment, be it on-prem or in the cloud, without requiring bare metal servers or nested virtualization support. This is accomplished by extending Kata containers runtime to manage the VM lifecycle using cloud provider APIs (e.g., AWS, Azure) or third-party hypervisor APIs (such as VMware vSphere). Since peer-pods are separate VMs alongside the Kubernetes node, traditional Container Storage Interface (CSI) cannot function properly within them, and different solutions are required.

Red Hat Ansible Automation Platform is a platform for implementing enterprise-wide automation, which makes it an ideal tool for your security audits. Security has many layers, but this article focuses on mitigating SSH attacks on managed hosts. While you can't eliminate all security risks, you can harden managed hosts to minimize some of them (especially brute force attacks), and mitigate others (by allowing SSH connections only from authorized hosts, enforcing sudo, and so on). This article uses Ansible Automation Platform, but most of the hardening configuration is applied to the managed hos

Edge computing has grown from being a niche use case in a handful of industries to offering a major opportunity for enterprises across industries to spread compute power around the world (or universe, as in the case of workloads in space). Edge computing slashes latency times by processing data where the data is being collected, or when it might otherwise be impossible to process because a workload or piece of hardware is disconnected from the network. But when you consider any advanced technology, the question of security and data protection is always top of mind. This is especially true f