News Feed

Amazon Nova Reel 1.1: Featuring up to 2-minutes multi-shot videos

~ Reporter ~ Leave a comment

At re:Invent 2024, we announced Amazon Nova models, a new generation of foundation models (FMs), including Amazon Nova Reel, a video generation model that creates short videos from text descriptions and optional reference images (together, the “prompt”).

Today, we introduce Amazon Nova Reel 1.1, which provides quality and latency improvements in 6-second single-shot video generation, compared to Amazon Nova Reel 1.0. This update lets you generate multi-shot videos up to 2-minutes in length with consistent style across shots. You can either provide a single prompt for up to a 2-minute video composed of 6-second shots, or design each shot individually with custom prompts. This gives you new ways to create video content through Amazon Bedrock.

Amazon Nova Reel enhances creative productivity, while helping to reduce the time and cost of video production using generative AI. You can use Amazon Nova Reel to create compelling videos for your marketing campaigns, product designs, and social media content with increased efficiency and creative control. For example, in advertising campaigns, you can produce high-quality video commercials with consistent visuals and timing using natural language.

To get started with Amazon Nova Reel 1.1 
If you’re new to using Amazon Nova Reel models, go to the Amazon Bedrock console, choose Model access in the navigation panel and request access to the Amazon Nova Reel model. When you get access to Amazon Nova Reel, it applies both to 1.0 and 1.1.

After gaining access, you can try Amazon Nova Reel 1.1 directly from the Amazon Bedrock console, AWS SDK, or AWS Command Line Interface (AWS CLI).

To test the Amazon Nova Reel 1.1 model in the console, choose Image/Video under Playgrounds in the left menu pane. Then choose Nova Reel 1.1 as the model and input your prompt to generate video.

Amazon Nova Reel 1.1 offers two modes:

  • Multishot Automated – In this mode, Amazon Nova Reel 1.1 accepts a single prompt of up to 4,000 characters and produces a multi-shot video that reflects that prompt. This mode doesn’t accept an input image.
  • Multishot Manual – For those who desire more direct control over a video’s shot composition, with manual mode (also referred to as storyboard mode), you can specify a unique prompt for each individual shot. This mode does accept an optional starting image for each shot. Images must have a resolution of 1280×720. You can provide images in base64 format or from an Amazon Simple Storage Service (Amazon S3) location.

For this demo, I use the AWS SDK for Python (Boto3) to invoke the model using the Amazon Bedrock API and StartAsyncInvoke operation to start an asynchronous invocation and generate the video. I used GetAsyncInvoke to check on the progress of a video generation job.

This Python script creates a 120-second video using MULTI_SHOT_AUTOMATED mode as TaskType parameter from this text prompt, created by Nitin Eusebius.

import random
import time

import boto3

AWS_REGION = "us-east-1"
MODEL_ID = "amazon.nova-reel-v1:1"
SLEEP_SECONDS = 15  # Interval at which to check video gen progress
S3_DESTINATION_BUCKET = "s3://<your bucket here>"

video_prompt_automated = "Norwegian fjord with still water reflecting mountains in perfect symmetry. Uninhabited wilderness of Giant sequoia forest with sunlight filtering between massive trunks. Sahara desert sand dunes with perfect ripple patterns. Alpine lake with crystal clear water and mountain reflection. Ancient redwood tree with detailed bark texture. Arctic ice cave with blue ice walls and ceiling. Bioluminescent plankton on beach shore at night. Bolivian salt flats with perfect sky reflection. Bamboo forest with tall stalks in filtered light. Cherry blossom grove against blue sky. Lavender field with purple rows to horizon. Autumn forest with red and gold leaves. Tropical coral reef with fish and colorful coral. Antelope Canyon with light beams through narrow passages. Banff lake with turquoise water and mountain backdrop. Joshua Tree desert at sunset with silhouetted trees. Iceland moss- covered lava field. Amazon lily pads with perfect symmetry. Hawaiian volcanic landscape with lava rock. New Zealand glowworm cave with blue ceiling lights. 8K nature photography, professional landscape lighting, no movement transitions, perfect exposure for each environment, natural color grading"

bedrock_runtime = boto3.client("bedrock-runtime", region_name=AWS_REGION)
model_input = {
    "taskType": "MULTI_SHOT_AUTOMATED",
    "multiShotAutomatedParams": {"text": video_prompt_automated},
    "videoGenerationConfig": {
        "durationSeconds": 120,  # Must be a multiple of 6 in range [12, 120]
        "fps": 24,
        "dimension": "1280x720",
        "seed": random.randint(0, 2147483648),
    },
}

invocation = bedrock_runtime.start_async_invoke(
    modelId=MODEL_ID,
    modelInput=model_input,
    outputDataConfig={"s3OutputDataConfig": {"s3Uri": S3_DESTINATION_BUCKET}},
)

invocation_arn = invocation["invocationArn"]
job_id = invocation_arn.split("/")[-1]
s3_location = f"{S3_DESTINATION_BUCKET}/{job_id}"
print(f"\nMonitoring job folder: {s3_location}")

while True:
    response = bedrock_runtime.get_async_invoke(invocationArn=invocation_arn)
    status = response["status"]
    print(f"Status: {status}")
    if status != "InProgress":
        break
    time.sleep(SLEEP_SECONDS)

if status == "Completed":
    print(f"\nVideo is ready at {s3_location}/output.mp4")
else:
    print(f"\nVideo generation status: {status}")

After the first invocation, the script periodically checks the status until the creation of the video has been completed. I pass a random seed to get a different result each time the code runs.

I run the script:

Status: InProgress
. . .
Status: Completed
Video is ready at s3://<your bucket here>/<job_id>/output.mp4

After a few minutes, the script is completed and prints the output Amazon S3 location. I download the output video using the AWS CLI:

aws s3 cp s3://<your bucket here>/<job_id>/output.mp4 output_automated.mp4

This is the video that this prompt generated:

In the case of MULTI_SHOT_MANUAL mode as TaskType parameter, with a prompt for multiples shots and a description for each shot, it is not necessary to add the variable durationSeconds.

Using the prompt for multiples shots, created by Sanju Sunny.

I run Python script:

import random
import time

import boto3


def image_to_base64(image_path: str):
    """
    Helper function which converts an image file to a base64 encoded string.
    """
    import base64

    with open(image_path, "rb") as image_file:
        encoded_string = base64.b64encode(image_file.read())
        return encoded_string.decode("utf-8")


AWS_REGION = "us-east-1"
MODEL_ID = "amazon.nova-reel-v1:1"
SLEEP_SECONDS = 15  # Interval at which to check video gen progress
S3_DESTINATION_BUCKET = "s3://<your bucket here>"

video_shot_prompts = [
    # Example of using an S3 image in a shot.
    {
        "text": "Epic aerial rise revealing the landscape, dramatic documentary style with dark atmospheric mood",
        "image": {
            "format": "png",
            "source": {
                "s3Location": {"uri": "s3://<your bucket here>/images/arctic_1.png"}
            },
        },
    },
    # Example of using a locally saved image in a shot
    {
        "text": "Sweeping drone shot across surface, cracks forming in ice, morning sunlight casting long shadows, documentary style",
        "image": {
            "format": "png",
            "source": {"bytes": image_to_base64("arctic_2.png")},
        },
    },
    {
        "text": "Epic aerial shot slowly soaring forward over the glacier's surface, revealing vast ice formations, cinematic drone perspective",
        "image": {
            "format": "png",
            "source": {"bytes": image_to_base64("arctic_3.png")},
        },
    },
    {
        "text": "Aerial shot slowly descending from high above, revealing the lone penguin's journey through the stark ice landscape, artic smoke washes over the land, nature documentary styled",
        "image": {
            "format": "png",
            "source": {"bytes": image_to_base64("arctic_4.png")},
        },
    },
    {
        "text": "Colossal wide shot of half the glacier face catastrophically collapsing, enormous wall of ice breaking away and crashing into the ocean. Slow motion, camera dramatically pulling back to reveal the massive scale. Monumental waves erupting from impact.",
        "image": {
            "format": "png",
            "source": {"bytes": image_to_base64("arctic_5.png")},
        },
    },
    {
        "text": "Slow motion tracking shot moving parallel to the penguin, with snow and mist swirling dramatically in the foreground and background",
        "image": {
            "format": "png",
            "source": {"bytes": image_to_base64("arctic_6.png")},
        },
    },
    {
        "text": "High-altitude drone descent over pristine glacier, capturing violent fracture chasing the camera, crystalline patterns shattering in slow motion across mirror-like ice, camera smoothly aligning with surface.",
        "image": {
            "format": "png",
            "source": {"bytes": image_to_base64("arctic_7.png")},
        },
    },
    {
        "text": "Epic aerial drone shot slowly pulling back and rising higher, revealing the vast endless ocean surrounding the solitary penguin on the ice float, cinematic reveal",
        "image": {
            "format": "png",
            "source": {"bytes": image_to_base64("arctic_8.png")},
        },
    },
]

bedrock_runtime = boto3.client("bedrock-runtime", region_name=AWS_REGION)
model_input = {
    "taskType": "MULTI_SHOT_MANUAL",
    "multiShotManualParams": {"shots": video_shot_prompts},
    "videoGenerationConfig": {
        "fps": 24,
        "dimension": "1280x720",
        "seed": random.randint(0, 2147483648),
    },
}

invocation = bedrock_runtime.start_async_invoke(
    modelId=MODEL_ID,
    modelInput=model_input,
    outputDataConfig={"s3OutputDataConfig": {"s3Uri": S3_DESTINATION_BUCKET}},
)

invocation_arn = invocation["invocationArn"]
job_id = invocation_arn.split("/")[-1]
s3_location = f"{S3_DESTINATION_BUCKET}/{job_id}"
print(f"\nMonitoring job folder: {s3_location}")

while True:
    response = bedrock_runtime.get_async_invoke(invocationArn=invocation_arn)
    status = response["status"]
    print(f"Status: {status}")
    if status != "InProgress":
        break
    time.sleep(SLEEP_SECONDS)

if status == "Completed":
    print(f"\nVideo is ready at {s3_location}/output.mp4")
else:
    print(f"\nVideo generation status: {status}")

As in the previous demo, after a few minutes, I download the output using the AWS CLI:
aws s3 cp s3://<your bucket here>/<job_id>/output.mp4 output_manual.mp4

This is the video that this prompt generated:

More creative examples
When you use Amazon Nova Reel 1.1, you’ll discover a world of creative possibilities. Here are some sample prompts to help you begin:

Color Burst, created by Nitin Eusebius

prompt = "Explosion of colored powder against black background. Start with slow-motion closeup of single purple powder burst. Dolly out revealing multiple powder clouds in vibrant hues colliding mid-air. Track across spectrum of colors mixing: magenta, yellow, cyan, orange. Zoom in on particles illuminated by sunbeams. Arc shot capturing complete color field. 4K, festival celebration, high-contrast lighting"

Shape Shifting, created by Sanju Sunny

prompt = "A simple red triangle transforms through geometric shapes in a journey of self-discovery. Clean vector graphics against white background. The triangle slides across negative space, morphing smoothly into a circle. Pan left as it encounters a blue square, they perform a geometric dance of shapes. Tracking shot as shapes combine and separate in mathematical precision. Zoom out to reveal a pattern formed by their movements. Limited color palette of primary colors. Precise, mechanical movements with perfect geometric alignments. Transitions use simple wipes and geometric shape reveals. Flat design aesthetic with sharp edges and solid colors. Final scene shows all shapes combining into a complex mandala pattern."

All example videos have music added manually before uploading, by the AWS Video team.

Things to know
Creative control – You can use this enhanced control for lifestyle and ambient background videos in advertising, marketing, media, and entertainment projects. Customize specific elements such as camera motion and shot content, or animate existing images.

Modes considerations –  In automated mode, you can write prompts up to 4,000 characters. For manual mode, each shot accepts prompts up to 512 characters, and you can include up to 20 shots in a single video. Consider planning your shots in advance, similar to creating a traditional storyboard. Input images must match the 1280×720 resolution requirement. The service automatically delivers your completed videos to your specified S3 bucket.

Pricing and availability – Amazon Nova Reel 1.1 is available in Amazon Bedrock in the US East (N. Virginia) AWS Region. You can access the model through the Amazon Bedrock console, AWS SDK, or AWS CLI. As with all Amazon Bedrock services, pricing follows a pay-as-you-go model based on your usage. For more information, refer to Amazon Bedrock pricing.

Ready to start creating with Amazon Nova Reel? Visit the Amazon Nova Reel AWS AI Service Cards to learn more and dive into the Generating videos with Amazon Nova. Explore Python code examples in the Amazon Nova model cookbook repository, enhance your results using the Amazon Nova Reel prompting best practices, and discover video examples in the Amazon Nova Reel gallery—complete with the prompts and reference images that brought them to life.

The possibilities are endless, and we look forward to seeing what you create! Join our growing community of builders at community.aws, where you can create your BuilderID, share your video generation projects, and connect with fellow innovators.

Eli

How is the News Blog doing? Take this 1 minute survey!

(This survey is hosted by an external company. AWS handles your information as described in the AWS Privacy Notice. AWS will own the data gathered via this survey and will not share the information collected with survey respondents.)

from AWS News Blog https://ift.tt/XnqTzfH
via IFTTT

AWS Weekly Review: Amazon EKS, Amazon OpenSearch, Amazon API Gateway, and more (April 7, 2025)

~ Reporter ~ Leave a comment

AWS Summit season starts this week! These free events are now rolling out worldwide, bringing our cloud computing community together to connect, collaborate, and learn. Whether you prefer joining us online or in-person, these gatherings offer valuable opportunities to expand your AWS knowledge. I will be attending the Summit in Paris this week, the biggest cloud conference in France, and the London Summit at the end of the month. We will have a small podcast recording studio where I will interview French and British customers to produce new episodes for the AWS Developers Podcast and le podcast 🎙 AWS ☁ en 🇫🇷.

Register today!

But for now, let’s look at last week’s new announcements.

Last week’s launches
At KubeCon London, we introduced the EKS Community Add-Ons Catalog, making it simpler for Kubernetes users to enhance their Amazon EKS clusters with powerful open-source tools. This catalog streamlines the installation of essential add-ons like metrics-serverkube-state-metricsprometheus-node-exportercert-manager, and external-dns. By integrating these community-driven add-ons directly into the Amazon EKS console and AWS command line interface (AWS CLI), customers can reduce operational complexity and accelerate deployment while maintaining flexibility and security. This launch reflects AWS’s commitment to the Kubernetes community, providing seamless access to trusted open-source solutions without the overhead of manual installation and maintenance.

Amazon Q Developer now integrates with Amazon OpenSearch Service to enhance operational analytics by enabling natural language exploration and AI-assisted data visualization. This integration simplifies the process of querying and visualizing operational data, reducing the learning curve associated with traditional query languages and tools. During incident responses, Amazon Q Developer offers contextual summaries and insights directly within the alerts interface, facilitating quicker analysis and resolution. This advancement allows engineers to focus more on innovation by streamlining troubleshooting processes and improving monitoring infrastructure.

Amazon API Gateway now supports dual-stack (IPv4 and IPv6) endpoints across all endpoint types, custom domains, and management APIs in both commercial and AWS GovCloud (US) Regions. This enhancement allows REST, HTTP, and WebSocket APIs, as well as custom domains, to handle requests from both IPv4 and IPv6 clients, facilitating a smoother transition to IPv6 and addressing IPv4 address scarcity. Additionally, AWS continues its commitment to IPv6 adoption with recent updates, including AWS Identity and Access Management (IAM) introducing dual-stack public endpoints for seamless connections over IPv4 and IPv6 and AWS Resource Access Manager (RAM) enabling customers to manage resource shares using IPv6 addresses. Amazon Security Lake customers can also now use Internet Protocol version 6 (IPv6) addresses via new dual-stack endpoints to configure and manage the service. These advancements collectively ensure broader compatibility and future-proofing of network infrastructure.

Amazon SES has introduced support for email attachments in its v2 APIs, enabling users to include files like PDFs and images directly in their emails without manually constructing MIME messages. This enhancement simplifies the process of sending rich email content and reduces implementation complexity. Amazon Simple Email Service (Amazon SES) supports attachments in all AWS Regions where the service is available.

Amazon Neptune has updated its Service Level Agreement (SLA) to offer a 99.99% Monthly Uptime Percentage for Multi-AZ DB Instance, Multi-AZ DB Cluster, and Multi-AZ Graph configurations, up from the previous 99.9%. This enhancement demonstrates the commitment AWS has to providing highly available and reliable graph database services for mission-critical applications. The improved SLA is now available in all AWS Regions where Amazon Neptune is offered.

For a full list of AWS announcements, be sure to keep an eye on the What’s New at AWS page.

Other AWS events
Check your calendar and sign up for upcoming AWS events.

AWS GenAI Lofts are collaborative spaces and immersive experiences that showcase AWS expertise in cloud computing and AI. They provide startups and developers with hands-on access to AI products and services, exclusive sessions with industry leaders, and valuable networking opportunities with investors and peers. Find a GenAI Loft location near you and don’t forget to register.

Browse all upcoming AWS led in-person and virtual events here.

That’s all for this week. Check back next Monday for another Weekly Roundup!

— seb

This post is part of our Weekly Roundup series. Check back each week for a quick roundup of interesting news and announcements from AWS!

How is the News Blog doing? Take this 1 minute survey!

(This survey is hosted by an external company. AWS handles your information as described in the AWS Privacy Notice. AWS will own the data gathered via this survey and will not share the information collected with survey respondents.)

from AWS News Blog https://ift.tt/YcHwRTP
via IFTTT

⚡ Weekly Recap: VPN Exploits, Oracle’s Silent Breach, ClickFix Comeback and More

~ Reporter ~ Leave a comment

Today, every unpatched system, leaked password, and overlooked plugin is a doorway for attackers. Supply chains stretch deep into the code we trust, and malware hides not just in shady apps — but in job offers, hardware, and cloud services we rely on every day.
Hackers don’t need sophisticated exploits anymore. Sometimes, your credentials and a little social engineering are enough.
This week,

from The Hacker News https://ift.tt/uiReNYF
via IFTTT

Cybersecurity Concerns Arising in Generating Ghibli-Style Content

~ Reporter ~ Leave a comment

In recent years, the rise of AI-generated art and animation has sparked a revolution in how creative content is produced. Among the most notable examples is the trend of creating artworks inspired by Studio Ghibli’s iconic animation style. With its distinct aesthetic, emotional storytelling, and enchanting visuals, Ghibli’s art has inspired a global audience and is now being replicated by AI tools that can generate similar animations. However, this new wave of technology has raised important cybersecurity concerns that need to be addressed as the line between human creativity and artificial intelligence blurs.

The Rise of AI-Generated Art

AI-driven art tools, such as DALL·E, MidJourney, and other image generation platforms, have made it possible for anyone with a computer to create artwork in the style of famous artists or animation studios. One particular trend that has emerged is the fascination with Studio Ghibli’s signature art style — with its lush landscapes, imaginative creatures, and whimsical characters. Fans of Ghibli, as well as digital artists, have eagerly embraced the opportunity to use AI to generate their own Ghibli-inspired creations, often using keywords or prompts like “Ghibli-style landscapes” or “Studio Ghibli character design” to guide the AI’s output.

While these AI tools have opened up new avenues for artistic expression, they also raise significant cybersecurity concerns that cannot be overlooked.

Intellectual Property Issues

One of the primary concerns surrounding AI-generated Ghibli-style content is intellectual property (IP) infringement. Studio Ghibli has built its reputation over decades by creating original works, such as My Neighbor Totoro, Spirited Away, and Princess Mononoke. These films have become deeply embedded in global culture, and their unique art style is instantly recognizable.

When AI systems are used to generate artwork that mimics the Ghibli aesthetic, it raises the question of whether this constitutes a violation of copyright laws. AI can be trained on large datasets that include Ghibli-style imagery, but it’s still debated whether replicating this style is an infringement on the studio’s intellectual property. For instance, is a Ghibli-inspired work a derivative of an existing copyrighted creation, or does it stand as a new, independent piece of art?

As more content creators use AI to produce Ghibliesque works, the lines between homage, imitation, and infringement become increasingly blurry. Additionally, without proper regulation, these AI-generated artworks could be monetized without fair compensation to the creators who originally pioneered the style.

Data Privacy and Security Concerns

The use of AI tools for generating artwork also brings with it potential privacy and security risks. Many AI-driven platforms require users to input data — including personal information, preferences, and even prompts for the artwork they wish to create. This data is often processed through cloud-based systems, which could be vulnerable to cyberattacks.

If hackers gain access to these platforms, they could potentially exploit user data for malicious purposes. For instance, personal information could be used for identity theft or sold on the black market. Furthermore, as AI tools become more widely used, the data they generate could be misused, especially when it comes to content creation that mimics established works. Hackers could use AI-generated art to create counterfeit products or pirated content, which could flood the digital market with fake items, impacting legitimate artists and studios.

Moreover, there’s also the risk of AI systems themselves being compromised or manipulated. Cybercriminals could tamper with AI-generated content, creating fake artwork that might deceive audiences into believing it’s an official release from Ghibli. This could lead to the spread of misinformation and pose challenges to content authenticity and security in the creative industry.

Deepfake and Synthetic Media Threats

One of the more alarming cybersecurity concerns surrounding AI-generated Ghibli-style content is the potential for deepfakes and synthetic media. Deepfake technology has already been used to create hyper-realistic but fake videos, images, and audio, often for malicious purposes. As AI tools advance, it’s conceivable that similar techniques could be used to produce synthetic Ghibli-style animations that mislead audiences into thinking they are authentic Ghibli works.

For example, an AI could create a new, convincing Ghibli-style video that seems like a new release from the studio. If such videos were shared widely on social media, it could cause confusion among fans and even lead to the spread of fake news about future projects from the studio. In extreme cases, these AI-generated works could also be used to defraud viewers or advertisers by promoting fake content as legitimate.

As the technology continues to evolve, it will become increasingly difficult to differentiate between authentic Ghibli content and AI-generated imitations, leading to potential reputational damage for the studio and loss of trust in the creative industry as a whole.

The Need for Regulation and Ethical AI

To address these growing cybersecurity concerns, the implementation of regulations governing AI-generated art is crucial. Artists, creators, and companies like Studio Ghibli need to advocate for stronger copyright protections for digital works generated by AI, as well as better security practices to safeguard users’ data. AI companies themselves must also take responsibility by adopting ethical guidelines to ensure that their tools are not used for malicious or deceptive purposes.

On the ethical front, it’s important that AI-generated art does not replace the human element of creativity. While AI can be a powerful tool for assisting artists, it should not overshadow the originality and human touch that define true artistry. For creators looking to explore AI as a means of generating Ghibli-style content, it’s essential to acknowledge the balance between inspiration and imitation, ensuring that new works do not exploit or infringe upon the intellectual property of the original creators.

Conclusion

As AI technology continues to make strides in the world of art and animation, the generation of Ghibli-inspired content is an exciting frontier. However, it also brings to light critical cybersecurity concerns surrounding intellectual property, data privacy, and the authenticity of digital media. To preserve both the creative integrity of the industry and the security of users, it’s vital that clear ethical guidelines and robust regulations be put in place. In the end, AI should serve as a tool that complements human creativity, rather than replacing it, while ensuring that the digital landscape remains safe and secure for

 

The post Cybersecurity Concerns Arising in Generating Ghibli-Style Content first appeared on Cybersecurity Insiders.

The post Cybersecurity Concerns Arising in Generating Ghibli-Style Content appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/wSJcsaq
via IFTTT

Securely Deploying and Running Multiple Tenants on Kubernetes

~ Reporter ~ Leave a comment

Kubernetes has become the backbone of modern cloud native applications, and as adoption grows, organizations increasingly seek to consolidate workloads and resources by running multiple tenants within the same Kubernetes infrastructure. These tenants could be internal teams, or departments within a company that share a Kubernetes cluster for development and production. Alternatively, they could be external clients, which are SaaS providers hosting customer workloads on shared infrastructure.

While multitenancy offers cost efficiency and centralized management, it also introduces security and operational challenges. The three considerations users must take into account include:

  • How do you ensure strong isolation between tenants?
  • How do you manage resources and prevent one tenant from affecting another?
  • How do you meet regulatory and compliance requirements?

To address these concerns, practitioners have three primary options for deploying multiple tenants securely on Kubernetes. Here, we will dive into the three options and outline the main considerations for each.

How to Deploy Multiple Tenants on Kubernetes

Namespace-Based Isolation with Network Policies, RBAC and Security Controls

Namespaces are Kubernetes’ built-in mechanism for logical isolation. This approach uses:

  • Namespaces: Logical boundaries for separating tenant workloads.
  • RBAC (Role-Based Access Control): Restricts tenant access to their namespace and resources.
  • Network policies: Controls ingress and egress traffic between pods and namespaces.
  • Resource quotas: Limits CPU, memory and other resources to prevent noisy neighbors.

Advantages include cost-effectiveness, as tenants share the cluster infrastructure. What’s more, this approach is simple to manage with centralized operations within a single cluster. Limitations include security risks if misconfigurations occur in RBAC or network policies.

Below is a deeper dive with additional considerations when it comes to the Namespace-Based Isolation approach.

  • Isolation Level: Logical isolation using namespaces, RBAC and network policies. Relies on proper configuration.
  • Security: Vulnerabilities in shared components (such as API server) or misconfigured policies can lead to breaches.
  • Resource Contention: All tenants share cluster resources like nodes and control planes, leading to potential resource contention.
  • Scalability: Adding new tenants requires creating a new namespace and applying policies within the existing cluster.
  • Cost: Shared cluster resources reduce infrastructure and operational costs.
  • Operational Complexity: Single cluster to manage, but requires careful configuration of namespaces, RBAC and network policies.
  • Performance Isolation: Tenants share control plane and node resources, potentially affecting performance during resource spikes.
  • Management Overhead: Centralized control over tenants within one cluster.

Cluster-Level Isolation

The cluster-level isolation approach assigns each tenant a dedicated Kubernetes cluster, ensuring complete physical or virtual isolation. Tools like Rancher, Google Anthos and AWS EKS simplify managing multiple clusters.

Advantages of this approach include strong isolation, as tenants do not share any cluster components. The levels of security are also high, with no risk of cross-tenant data leakage or resource contention. 

Limitations exist, however, such as high cost: each cluster incurs control plane and node costs. Additional limitations include operational complexity and scalability challenges. Managing, upgrading and monitoring multiple clusters is resource-intensive, and provisioning new clusters can delay tenant onboarding.

Here are more details and considerations with regard to the Cluster-Level Isolation approach.

  • Isolation Level: Physical or virtual isolation; no shared cluster components.
  • Security: High security, as one tenant’s vulnerabilities do not affect others.
  • Resource Contention: Dedicated resources for each tenant ensure no resource interference or contention.
  • Scalability: Adding new tenants requires provisioning and managing new clusters, making scalability limited.
  • Cost: Separate clusters increase infrastructure, operational and monitoring costs.
  • Operational Complexity: Managing multiple clusters adds significant operational overhead and requires specialized tools.
  • Performance Isolation: Performance is isolated due to dedicated clusters.
  • Management Overhead: Separate control planes and clusters increase management overhead.

Virtual Clusters

Virtual clusters provide tenant-specific control planes within a shared physical cluster. Each tenant gets their virtual Kubernetes environment while sharing the worker nodes and physical infrastructure.

Advantages include strong logical isolation, meaning that tenant workloads operate independently. This approach is also cost efficient, as shared worker nodes reduce infrastructure costs. Another advantage is scalability, as virtual clusters can be provisioned quickly–often in seconds.

Limitations include higher complexity due to infrastructure-level isolation compared to namespace-based isolation, and performance impact if worker nodes are over-committed.

The list below includes additional considerations with the Virtual Clusters approach.

Virtual Clusters

  • Isolation Level: Each tenant gets a virtual Kubernetes cluster running inside a shared physical cluster.
  • Security: Virtual clusters provide tenant-specific control planes, reducing risk of cross-tenant issues.
  • Resource Contention: Shared worker nodes but isolated control planes reduce contention for control-plane-related operations.
  • Scalability: New virtual clusters can be provisioned quickly within the existing physical cluster.
  • Cost: Shared infrastructure reduces costs compared to physical clusters but higher than namespace isolation.
  • Operational Complexity: Centralized management simplifies operations compared to physical clusters, but still involves managing virtual clusters.
  • Performance Isolation: Control planes are isolated; however, shared worker nodes affect performance.
  • Management Overhead: Simplified management compared to physical clusters but more overhead than namespaces.

What Are the Implications of Leaving Multitenancy Unaddressed?

Implementing a robust multitenancy strategy is critical. Failing to do so can lead to devastating consequences in terms of security, compliance, and operational inefficiencies. Specific issues include:

  • Security breaches: Misconfigurations in shared clusters can allow one tenant to access another’s workloads or data.
  • Resource contention: A single tenant can monopolize shared resources, degrading performance for others.
  • Non-compliance: Inadequate isolation can result in failure to meet regulatory requirements like HIPAA or PCI-DSS.
  • Operational inefficiency: Poorly designed multitenancy increases management overhead and risks cluster downtime.

Secure multitenancy in Kubernetes is essential for maintaining the security posture of Kubernetes clusters for compliance and security requirements. Multitenancy consolidates workloads and resources efficiently and saves money with centralized management, but introduces significant security and operational challenges that must be addressed through best practices such as namespace-based isolation or secure deployment of virtual clusters. 

Failing to properly secure multitenancy can lead to compliance violations and security gaps, making implementing robust security measures and isolation techniques paramount for maintaining a secure and efficient multitenant environment in Kubernetes.

# # # 

Author Bio

Ratan Tipirneni is President & CEO at Tigera, where he is responsible for defining strategy, leading execution, and scaling revenues. Ratan is an entrepreneurial executive with extensive experience incubating, building, and scaling software businesses from early stage to hundreds of millions of dollars in revenue. He is a proven leader with a track record of building world-class teams.

 

The post Securely Deploying and Running Multiple Tenants on Kubernetes first appeared on Cybersecurity Insiders.

The post Securely Deploying and Running Multiple Tenants on Kubernetes appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/XCW13MQ
via IFTTT

Unlocking the Power of Hybrid and Multi-Cloud Environments

~ Reporter ~ Leave a comment

Cloud services have revolutionized the way businesses operate, delivering instant access to data, applications and resources at the touch of a mouse. Accessibility through a mix of public cloud services, SaaS applications, private clouds, and on-premises infrastructure has become the norm, helping companies to operate with greater agility, scale faster and reduce IT costs. It should come as no surprise, then, that 90% of organizations are predicted to adopt a hybrid cloud approach by 2027. 

As beneficial as hybrid and multi-cloud environments are, however, they present their own fair share of challenges—particularly when it comes to security, management, and cost control. 

Remote and hybrid workforces—made largely commonplace in the wake of the COVID-19 pandemic —have cast a light on the complexity of multi-cloud adoption, raising important questions about how best to navigate latent connectivity concerns, security and data privacy risks and cloud management strategy, among others. As businesses continue to make this shift, it’s critical to consider the unique nuances of a hybrid deployment and leverage infrastructure and resources that proactively address these challenges while simultaneously delivering the efficiencies and advantages that we’ve come to expect from multi-cloud environments. 

The Hidden Cybersecurity Threats in Hybrid Environments

Cyber threats thrive in complex, multi-cloud environments. With workloads spread across different platforms—each with its own security protocols—gaps are inevitable. In fact, 61% of organizations reported experiencing cloud security incidents in 2024. 

For organizations operating in flexible multi-cloud environments, one security flaw or oversight can quickly overshadow any agility benefits. Misconfigured cloud settings, insufficient encryption, and weak identity and access controls, for example, can introduce significant risks into a hybrid cloud ecosystem. Poorly managed permissions can expose sensitive data to unauthorized users, while unprotected data moving between clouds can become vulnerable if not safeguarded properly. Not to mention gaps in identity management systems, which can lead to account takeovers and data breaches.

Unfortunately, we see these scenarios too often. The dangers of an ill-secured cloud environment, as recently evidenced by a newsworthy ransomware attack, call attention to the need for standardized multi-cloud security protocols to ensure careful and consistent protection of corporate data, whether it sits in a public cloud, private data center, or cloud-based web application or is traversing the gateways of all three. 

Cloud security risks like these are particularly concerning for companies operating in highly regulated environments, where stringent compliance requirements, such as HIPAA (healthcare) and GLBA (banking), demand that organizations implement, review and maintain security controls and procedures to protect sensitive information. With over 80% of data breaches involving data stored in the cloud, the stakes are high. Organizations in these industries must be vigilant in managing their cloud environments to avoid significant compliance penalties as well as legal, financial and reputational consequences.

Balancing Cost Efficiency with Performance in Hybrid Cloud Environments

Although the emergence of the cloud initially led to a flurry of cost-savings as businesses transitioned from hefty on-premise infrastructure investments to predictable OpEx-driven budgets, the growing complexity of hybrid and multi-cloud environments has begun to re-introduce cost challenges. Managing multiple cloud providers and integrating various platforms can lead to unexpected expenses across cloud services, such as underutilized resources, data transfer fees, and disparate pricing models. In 2024 alone, 69% of IT professionals reported budget overruns within their organization’s cloud spending.

To effectively manage these costs, businesses need a solution that simplifies the complexity of connecting and managing diverse cloud environments. This singular approach, by way of a managed connectivity solution, can not only ensure better resource allocation but also reduce the overhead associated with managing multiple cloud and ISP providers. Implementing a centralized, flexible cloud connectivity solution can significantly streamline operations, optimize spending, and pave the way for more secure and scalable cloud architectures.

Optimizing Multi-Cloud Connectivity for Security and Scalability

Think of managed connectivity as the backbone of any secure and effective hybrid or multi-cloud environment. Operating as a private, scalable, and redundant multi-cloud connectivity solution, it acts as a “glue”, providing businesses with a centralized hub through which they can build secure, direct connections to public clouds, SaaS applications, data centers, and office sites. 

Consider these benefits: 

  • No need to rely on the slow, costly process of purchasing individual ISP lines to each cloud provider or site. Managed connectivity streamlines the process, enabling faster deployment and cutting down on latency.
  • No need to predict the specific capacity requirements for each cloud provider or location. Multi-cloud connectivity means one flexible connection dynamically scales as new cloud services are added, simplifying access and cutting down on unnecessary costs. 
  • No internal training or management needed. Managed connectivity solutions are operated by experienced IT service providers who not only handle initial deployment and connect you to the cloud services you need, but take on the responsibility of ISP vendor management, further easing your administrative burden of IT.

Enhancing Business Growth through Effective Cloud Connectivity

Hybrid and multi-cloud environments offer incredible benefits and will continue to do so as the future of digital transformation unfolds. But managing a complex cloud architecture effectively requires not only considering your business as it stands today, but future-proofing your environment in a meaningful way that that simplifies security, reduces complexity, and helps control costs without sacrificing performance. 

To ensure lasting success, businesses operating within hybrid or multi-cloud ecosystems should consider the value managed connectivity solutions can offer to enable more secure, scalable and manageable cloud operations. Relying on a trusted IT partner with the knowledge and expertise to design, implement, and manage a multi-cloud strategy will ultimately reduce headaches and allow businesses to concentrate on core operations and growth. 

About Mike Fuhrman

Mike Fuhrman is CEO of Omega Systems and has more than 30 years of operations, product development and leadership experience in the IT industry. He leverages his deep knowledge of business operations and his passion for technology to foster an environment that helps customers, employees and organizations thrive. Mike is a veteran of the U.S. Air Force and a graduate of The Citadel, where he is a current member of the executive advisory board for the School of Engineering.

 

 

The post Unlocking the Power of Hybrid and Multi-Cloud Environments first appeared on Cybersecurity Insiders.

The post Unlocking the Power of Hybrid and Multi-Cloud Environments appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/0v2VwBb
via IFTTT

Edge computing: Unlocking opportunities while navigating cyber security risk

~ Reporter ~ Leave a comment

Global investment in edge computing is expected to rise to close to US$400bn by 2028, meaning this market will have almost doubled in just five years. For sectors where secure, reliable data processing is vital to critical decision-making harnessing the benefits while also managing the inherent risks will be essential, according to a report from Allianz Commercial.

Cloud computing has long been the foundation of modern IT infrastructures, offering businesses flexible, scalable solutions for data storage and processing. Over the past decade, the cloud has enabled organizations to outsource the maintenance and management of IT resources. But as businesses generate ever increasing volumes of data, largely driven by the growth of the Internet of Things (IoT), cloud infrastructures are struggling to keep pace.

Edge computing was developed as a solution to these challenges. By processing data at or near the source, it reduces latency, alleviates bandwidth constraints, and enhances data security. Edge computing is not a replacement for cloud computing; rather, it is a complementary solution that decentralizes some computing tasks. In this hybrid model, edge devices are responsible for preliminary data processing and analysis, while the cloud remains the primary location for long-term storage, advanced analytics, and larger-scale data aggregation.

Edge computing is set to be a game-changer in the world of data processing, offering significant benefits in terms of performance, efficiency, and real-time capabilities. The adoption of edge computing presents new opportunities for industries to enhance customer experiences, improve risk management, and offer more personalized products. However, the transition towards decentralized data processing also presents a range of new challenges, particularly in the context of cyber security.

Competitive advantages

For businesses in sectors such as manufacturing, healthcare, retail, and finance, the ability to process data locally provides a competitive advantage, according to the report.

In the manufacturing sector, edge computing facilitates real-time monitoring of production lines, enabling operators to respond rapidly to potential issues. This results in reduced downtime, increased efficiency and, ultimately, cost savings. The capacity to act on real-time data is of particular importance in industries where even a few seconds of delay can result in significant losses.

In the healthcare sector, edge computing is transforming the way patients are monitored in real-time and how diagnostics are conducted. The generation of data from wearable devices and smart medical equipment can be processed ‘at the edge’, providing healthcare providers with instant feedback and improving patient outcomes. With telemedicine, real-time processing of health metrics enables doctors to make prompt decisions, which is crucial in emergency situations.

Edge computing is also proving beneficial for retailers and financial institutions. In the retail sector, edge computing is facilitating the delivery of personalized customer experiences through the processing of data at the point of sale, enabling the provision of real-time product recommendations and dynamic pricing adjustments. In financial services, edge computing can improve fraud detection and speed up transaction processing, enhancing both security and customer satisfaction. Among the specific benefits for the insurance industry and its customers are faster claims processing, more accurate pricing, and enhanced customer engagement.

Navigating cyber security risks and liability challenges

Despite its advantages, edge computing introduces significant cyber security risks, the report also notes. Its decentralized nature increases the attack surface, potentially making devices more vulnerable to breaches, data theft, and disruptions. Meanwhile, liability determination in edge environments is particularly complex. Responsibility for breaches often spans device manufacturers, software providers, and users. 

Edge computing frequently involves processing data across multiple geographic regions, each with its own set of regulatory requirements. Meeting these diverse regulations, such as GDPR (General Data Protection Regulation) in Europe or HIPAA (Health Insurance Portability and Accountability Act) in the US, can be complex. Organizations must develop comprehensive data governance strategies to guarantee that data processed is protected in accordance with local laws.

Edge computing is unlocking unprecedented opportunities across industries, empowering organizations to process data closer to the source, drive real-time decision-making, and create more efficient, secure, and personalized experiences for customers, ultimately transforming the way businesses operate and innovate.

To learn more, download Allianz Commercial’s edge computing report here.

Rishi Baviskar is Global Head of Cyber Risk Consulting at global insurer Allianz Commercial, based in London.

Mehdi Meyer is a Cyber Risk Consultant at global insurer Allianz Commercial, based in Paris.

 

The post Edge computing: Unlocking opportunities while navigating cyber security risk first appeared on Cybersecurity Insiders.

The post Edge computing: Unlocking opportunities while navigating cyber security risk appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/GoB0Pil
via IFTTT

The Hidden Crisis in Non-Human Identity: Why Your Security Strategy Needs an Overhaul

~ Reporter ~ Leave a comment

While organizations have spent years fortifying human identity security, a critical vulnerability has been growing in our digital infrastructure. For every human identity in today’s enterprise, there are now approximately 50 machine identities operating in the shadows. These non-human identities (NHIs) – from API keys to service accounts, from certificates to automation bots – have become a major security weakness that many organizations overlook.

The string of high-profile breaches, including incidents at Okta, Cloudflare, and the Internet Archive, all share a common thread: compromised machine identities. Yet many organizations continue to treat NHI security as an afterthought.

Industry research reveals the scope of this challenge: 46% of organizations know they have had non-human accounts or credentials compromised, with an additional 26% suspecting they might have experienced such compromises. Even more concerning, 66% of enterprises have experienced successful attacks resulting from compromised machine identities. These aren’t just isolated incidents – 25% of organizations have faced multiple such attacks.

The problem is threefold:

  • First, we’re dealing with an unprecedented scale. Cloud transformation and AI have created an explosion of machine-to-machine communications. Every containerized application, every microservice, and every automated workflow needs its own identity. As enterprises accelerate their AI adoption and deploy more Enterprise Agents, this proliferation of machine identities and secrets will only accelerate. These identities aren’t just growing linearly – they’re multiplying exponentially. And all these identities need to access each other on a regular basis for applications to run.
  • Second, traditional security tools weren’t built for this reality. While organizations have invested heavily in human IAM solutions, many lack the fundamental capabilities needed for NHI management: detection, lifecycle management, and granular access control. Current tools often fall short in securing modern infrastructure.
  • Third, and perhaps most critically, there’s a dangerous disconnect between security teams and DevOps. In the rush to accelerate development cycles, machine identities are often created ad-hoc, with default permissions that violate least-privilege principles. This creates significant security gaps across cloud environments.

The implications are clear. With 57% of NHI security incidents requiring board-level attention, this isn’t just a technical problem anymore – it’s a business-critical issue that demands immediate attention.

Three critical actions can help organizations address these challenges:

  1. Implement continuous discovery and inventory of machine identities. Comprehensive visibility is essential, including understanding relationships, permissions, and usage patterns across the environment.
  2. Adopt a unified approach to secrets management and machine identity security. Treating these as integrated rather than separate domains reduces complexity and improves visibility.
  3. Embrace “secretless” architectures and ephemeral credentials where possible. Modern security architectures provide Zero Standing Privileges (ZSP) with dynamic, short-lived credentials and also support emerging “secretless” frameworks like SPIFEE that limit potential compromise impact.

Machine identity Management has become the new security frontier. As AI and autonomous systems continue to evolve, the ratio of machine-to-human identities will only increase. Organizations that fail to adapt their security strategies accordingly face significant risks.

The data speaks for itself – secrets and machine identity security demands immediate attention. With boards already focused on this issue, security leaders must act now to protect their organizations’ future.

About: Oded Hareven is the CEO and Co-founder of Akeyless Security, the world’s first unified secrets and machine identity platform.

The post The Hidden Crisis in Non-Human Identity: Why Your Security Strategy Needs an Overhaul first appeared on Cybersecurity Insiders.

The post The Hidden Crisis in Non-Human Identity: Why Your Security Strategy Needs an Overhaul appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/7NwQbxR
via IFTTT