Securing containers and Kubernetes environments is a matter of grave concern for organizations that invested in cloud-native applications. These concerns have shaken the confidence of developer communities and organizations advocating the use of Kubernetes in production. Many organizations are already delaying production deployments of their applications to give app sec teams more time to test the waters.
The principles of DevOps and Cloud-native development dictate shorter release cycles and faster deployments. These security threats hinder these organizations’ ability to realize the full potential of Kubernetes for business growth and innovations.
And these concerns didn’t originate as a result of a mass-hysteria inside DevOps circuits.
The third edition of The State of Container and Kubernetes Security report was published during winter 2020, but it’s still an insightful source if you are interested about security especially related to containers and K8s.
The report suggests 94% of organizations have encountered a security incident in their Kubernetes environment in the past twelve months. StackRox surveyed 540 IT professionals from organizations of various sizes for the report. The majority of respondents include development and operations personnel.
The report presents some new and interesting findings on how organizations are perceiving Kubernetes amidst the hype and rising adoption and owing to a number of security concerns.
Let’s discuss some of its most significant takeaways.
The report indicates that almost half of the organizations have delayed application deployments because of security concerns. 34% of respondents admitted to immense benefits Kubernetes brings with faster application development and release. Yet 44% have acknowledged that they have delayed or slowed down application deployment into production due to Kubernetes security concerns. Kubernetes might enable far greater inherent security than preceding technologies, and yet only a handful of organizations could configure it in the most secure manner.
Only 8% of the respondents believe Kubernetes improved security for them. The advances Kubernetes brings to application development and deployment are left in vain when organizations are apprehensive about moving their K8s clusters to production environments.
94% of respondents experiencing a security incident in the past twelve months in their Kubernetes environment is critical for business.
Organizations expect Kubernetes to drive enterprise IT innovation and digital transformation. From faster development and deployment to quicker bug fixes and patches, organizations had a huge expectation when they made a move to Kubernetes (not to mention the cost of migration). Unable to realize the full potential of Kubernetes (and DevOps and cloud-native for that matter) owing to delays, they are putting their revenue growth and business interests in jeopardy.
You were right, despite hindering their business interest and suspected business growth, organizations’ security interests are leaving too much to desire. 14% of respondents agree that their organizations aren’t taking security threats seriously. A lot of this can be attributed to their investment in security strategies and tooling.
37% of respondents believe that they are not adequately investing in security measures, putting the security of their critical applications at risk and subduing the benefits Kubernetes brings.
However, the maturation of container strategy is already reflecting in the survey; there is a 35% drop in people saying their strategy isn’t detailed enough.
The same company, StackRox, conducts a new survey on the state of Kubernetes and container security every six months. In the last six months, the survey finds organizations have made enormous progress with their Kubernetes security strategies. 48% of respondents believe they are already in an intermediate or advanced Kubernetes strategy vs. only 41% six months ago, registering a growth of 17%.
A majority of organizations are already pinpointing their shortcoming to a lack of Kubernetes strategy. No. doubt, most organizations have moved from a “no strategy” to at least some form of strategy. The survey indicates these strategies will only mature with time. Only 6% of respondents admitted to a lack of security strategy at their organization. Only six months ago, 19% of them were clueless about the security strategy at a place in their organization, a 68% fall.
The report believes while maturing security strategies is a good sign, it must not hinder organizations’ efforts to raise their investment in Kubernetes security.
Misconfigurations are such a persistent security issue with Kubernetes that 58% of respondents experienced it. Misconfigurations may look like an innocent victim on its own, but together with a vulnerability, it may cause havoc for your security team trying to contain the attack.
The report raises the alarm: 18% of respondents experienced both a misconfiguration and at least one more security incident during the last 12 months.
While they could contain security threats from attacks and vulnerabilities, misconfigurations are hard to get by. 61% of respondents encountered a security incidence owing to misconfiguration, while only 54% encountered them a year ago.
Runtime is the container life cycle phase that concerns the organizations the most. While worries about the build and deployment stage have fallen over the past two surveys, the runtime stage is only growing to be more of a worry, moving from 43% to 56% within six months.
This is how the report responds to concern and confusion regarding runtime.
“This finding is perplexing at first glance, given that an overwhelming majority of respondents identify misconfigurations as the source of the biggest security risk and have experienced a misconfiguration incident more often than other types. However, the data makes more sense when you consider that issues during runtime feel like they’re less under your control and that other security missteps, such as a misconfiguration, will lead to a security problem only during runtime, not build or deploy.”
The report suggests more applications are running containerized in production than ever. Organizations running half or more of their applications containerized in production jumped from 22% to 29% in the last six months, growing at 32%.
Industry chatter around adopting a multi-cloud approach doesn’t seem to be reflecting in numbers, though. Despite growing, multi-cloud deployments are still behind single-cloud deployments by a sizable margin: 51% of respondents run their containers in a single cloud against 35% who run them in multiple public clouds.
“With hybrid models continuing to be the dominant approach, organizations need security that runs the same way – a Kubernetes-native container security platform delivers environment-agnostic control.”
At a time when adoption of Kubernetes is on the rise in production, the prevailing security threats originating from all sorts of vulnerabilities, attacks, and misconfigurations are sending organizations in a spiral of uncertainties. Organizations are resorting to all sorts of measures to subdue the risks. Some are delaying application roll-outs before the prevailing threats are detected and remedied. Having moved to Kubernetes, employing DevOps principles and running cloud-native applications, these delays threaten their business interest and take away their competitive advantage. This is all coming at a time when Kubernetes is suffering from a skills gap owing to a skills shortage, and a steep learning curve and multi-cloud deployments are running out of favor.
The report tells you how catching-up, you have to play while applying security controls across containers and Kubernetes because delaying security means delaying revenue and your business at risk.