State of Kubernetes Security Report

in DevOps , Kubernetes , DevSecOps

10.png

Adopting containers and Kubernetes in production increases security threats mostly from human error, and vulnerabilities of all sorts cripple the confidence organisations have in their production environment. This annual report, initially conducted by Stackrox and now acquired by Redhat, explores the Kubernetes and container market, focusing on security-as, the leading challenge faced with the technologies.


    The report questions Kubernetes and cloud native professionals to assess the rate of adoption of the technologies and the security challenges accompanied by them.

    This year's edition presents survey results from over 500 respondents, with the majority of them being product development, engineering, and operations personnel.

    25% of the respondents work in companies with 1-100 company size while 24% and 21% work in companies within the sizes of 101-1000 and 10,000+ respectively- with preponderance (54%) of the companies in the Education industry.

    For the 2021 edition, this is a compendium of the important findings from the respondents.

    Security concerns strongly inhibit the fast deployment

    Image courtesy: https://security.stackrox.com/rs/219-UEH-533/images/State_of_Container_and_Kubernetes_Report.pdf Image courtesy: https://security.stackrox.com/rs/219-UEH-533/images/State_of_Container_and_Kubernetes_Report.pdf

    The last State of Kubernetes Security report was released during winter last year. Still, nothing has seemed to change in organizations' confidence concerning the security of containers, Kubernetes, and cloud native technologies in production. It appears that more organizations are losing faith in the safety of their containers.

    Compared to 44% recorded in the previous year, 55% of the survey respondents agree that they have delayed or slowed down the deployment of an application into production for one security issue or the other.

    Containerization, Kubernetes, and various other cloud native technologies promise agility and speed in developing and deploying applications. But, the increase in the number of respondents that have delayed deployment of applications into production due to security issues shows that many of these organizations are not genuinely harnessing the most authentic benefit of containers—faster application delivery.

    Almost every respondent experienced a security issue in their Kubernetes environment in the last 12 months

    In compliment with the previous data—that the majority has delayed production because of security—and maintaining the exact figure with the year earlier, 94% of the respondents said that they had experienced at least one security issue related to their container or Kubernetes in past 12 months.

    Image courtesy: https://security.stackrox.com/rs/219-UEH-533/images/State_of_Container_and_Kubernetes_Report.pdf Image courtesy: https://security.stackrox.com/rs/219-UEH-533/images/State_of_Container_and_Kubernetes_Report.pdf

    Among the major known causes of these security issues are failed audit (20%), major vulnerability (31%), and security incidents during runtime (32%); misconfiguration being the leading cause, 59%.

    Kubernetes and containers are complex technologies and the configuration requirements for workloads from one another.

    Considering the complexity, it may be challenging to achieve the sufficient required security configurations for the workload accurately.

    Even though it has reduced compared to the previous year (69%), the dominance of human error in the causes of security incidents shows that professionals need to work more on the proper configuration of their Kubernetes environment to reduce security breaches.

    Security is a major concern for companies using containers

    When it comes to containers, security and compliance threats remain the biggest fear of companies embracing the technology. This, however, does not come as a surprise since nearly all respondents (94%) have experienced a security compromise in recent months.

    Respondents cited inadequate investment in container security as the leading concern about their company's container strategy.

    Image courtesy: https://security.stackrox.com/rs/219-UEH-533/images/State_of_Container_and_Kubernetes_Report.pdf Image courtesy: https://security.stackrox.com/rs/219-UEH-533/images/State_of_Container_and_Kubernetes_Report.pdf

    16% states that they don't take threats to container security seriously, while another 14% don't account for compliance needs.

    These top-stated causes might be responsible for the whooping percentage of security threats and companies need to pay more attention and invest more in security—even though it has improved since the last year (37%)—to enjoy the speed to market offered by containerization.

    The majority of organizations have a container security strategy in place

    Image courtesy: https://security.stackrox.com/rs/219-UEH-533/images/State_of_Container_and_Kubernetes_Report.pdf Image courtesy: https://security.stackrox.com/rs/219-UEH-533/images/State_of_Container_and_Kubernetes_Report.pdf

    A summative 67% of the survey respondents attest that they have a container security strategy in place, out of which 30% have a basic security strategy, and 26% and 11% have an intermediate and advanced container security strategy in place, respectively.

    26% of the respondent are in the planning stage of their container security strategies, while only 7% have none in existence.

    Even though there is a slight decrease in the individual figures for intermediate (25%) and advanced (30%) security strategies compared to last year, the data is still positive. Organizations, however, need to make more investment in putting a container security strategy in place.

    DevOps is held most responsible for Kubernetes security

    The Ops, DevOps, and DevSecOps roles are considered the most responsible for Kubernetes security, with DevOps leading the pack with 27% and Ops and DevSecOps trailing with 21% and 18%, respectively.

    Image courtesy: https://security.stackrox.com/rs/219-UEH-533/images/State_of_Container_and_Kubernetes_Report.pdf Image courtesy: https://security.stackrox.com/rs/219-UEH-533/images/State_of_Container_and_Kubernetes_Report.pdf

    A fewer percentage of the respondents consider Security roles and Developers responsible for cloud native security.

    Considering that DevOps facilitate Kubernetes, containers, and other cloud native technologies, this bias is quite understandable.

    However, security should be a collective effort. More organizations need to engage the Security teams and developers in securing their cloud-native tech stack.

    74% of organizations have a DevsecOps initiative

    Image courtesy: https://security.stackrox.com/rs/219-UEH-533/images/State_of_Container_and_Kubernetes_Report.pdf Image courtesy: https://security.stackrox.com/rs/219-UEH-533/images/State_of_Container_and_Kubernetes_Report.pdf

    49% of the survey respondents confirm that there are collaborations between the DevOps and security teams in their organizations. In comparison, 25% agree that the collaboration is on an advanced level with integration and automation of security at various stages of development.

    With just 26% of the respondent saying the DevOps and Security teams in their organizations work separately, this is a positive note for the DevSecops practice. It allows security to be inclusive for all parties involved in cloud native operations.

    With attacks and vulnerabilities trailing, misconfiguration remains the top security threat for organizations

    As the leading cause of Kubernetes security incidents, misconfiguration remains the most prominent security concern for organizations.

    Image courtesy: https://security.stackrox.com/rs/219-UEH-533/images/State_of_Container_and_Kubernetes_Report.pdf Image courtesy: https://security.stackrox.com/rs/219-UEH-533/images/State_of_Container_and_Kubernetes_Report.pdf

    47% of respondents cite that they worry the most about misconfiguration of their Kubernetes environment, while 31% fear the most about vulnerabilities and just 21% worry the most about attacks and compliance.

    The higher fear of misconfigurations and its dominant role in security incidents cites a dire need to address the issue with automated configuration tools and more skilled professionals and security experts who should collaboratively conclude on the right and best configurations for various workloads.

    Organizations continue to be afraid of the runtime phase of their container lifecycle

    Image courtesy: https://security.stackrox.com/rs/219-UEH-533/images/State_of_Container_and_Kubernetes_Report.pdf Image courtesy: https://security.stackrox.com/rs/219-UEH-533/images/State_of_Container_and_Kubernetes_Report.pdf

    Nearly half (49%) of the survey respondent says that their organization worries the most about their container's runtime lifecycle because of the potential security threats its expose to in the phase. This figure is a decline from the previous year's confidence which the percentage of worry at runtime stood at 43%.

    Considering the data about misconfiguration, it can be understood that it might have contributed to the worry of containers at runtime. Actively addressing misconfiguration and other security issues will instill confidence in container security at runtime.

    Cloud-only deployment strategy decline; hybrid grows; Redhat leads hybrid/multi-cloud

    The combined deployment on single and multi-cloud-only retraced from the previous year's 40% to 28%, while hybrid (on-prem and one or multi-cloud) grows slightly from 46% in the last year to 47%.

    Image courtesy: https://security.stackrox.com/rs/219-UEH-533/images/State_of_Container_and_Kubernetes_Report.pdf Image courtesy: https://security.stackrox.com/rs/219-UEH-533/images/State_of_Container_and_Kubernetes_Report.pdf

    However, 26% of respondents cite that their organizations stick to on-premise only to deploy their cloud native workloads to production.

    RedHat is the leading solution respondents use in deploying hybrid and multi-cloud containerized applications, while AWS Outpost trails in a close margin at 32%. Microsft Azure Arc claims 25% of the hybrid/multi-cloud deployment market while Google Arthos follows closely with 24% and VMware, Oracle lagging with 13% and 4%, respectively.

    Docker, Kubernetes maintain dominance as runtime container and orchestration platforms; Amazon EKS increases its authority

    Image courtesy: https://security.stackrox.com/rs/219-UEH-533/images/State_of_Container_and_Kubernetes_Report.pdf Image courtesy: https://security.stackrox.com/rs/219-UEH-533/images/State_of_Container_and_Kubernetes_Report.pdf

    Docker takes a minute retrace to 85% as the dominant runtime container platform compared to 89% from the previous year.

    As a slight increase from the previous year's report, 86%, Kubernetes usage as an orchestration platform stands at 88%.

    Image courtesy: https://security.stackrox.com/rs/219-UEH-533/images/State_of_Container_and_Kubernetes_Report.pdf Image courtesy: https://security.stackrox.com/rs/219-UEH-533/images/State_of_Container_and_Kubernetes_Report.pdf

    AWS' managed Kubernetes service, Amazon EKS, increases its dominance to slightly more than half of the Kubernetes market at 51%, moving up 24% from its authority in the previous year's report.

    You may also like reading:


    Get similar stories in your inbox weekly, for free



    Share this story with your friends
    editorial
    The Chief I/O

    The team behind this website. We help IT leaders, decision-makers and IT professionals understand topics like Distributed Computing, AIOps & Cloud Native

    Latest stories


    DevOps and Downed Systems: How to Prepare

    Downed systems can cost thousands of dollars in immediate losses and more in reputation damage …

    Cloud: AWS Improves the Trigger Functions for Amazon SQS

    The improved AWS feature allows users to trigger Lambda functions from an SQS queue.

    Google Takes Security up a Notch for CI/CD With ClusterFuzzLite

    Google makes fuzzing easier and faster with ClusterFuzzLite

    HashiCorp Announces Vault 1.9

    Vault 1.9 released into general availability with new features

    Azure Container Apps: This Is What You Need to Know

    HTTP-based autoscaling and scale to zero capability on a serverless platform