Enterprises are having significant problems with security when it comes to Kubernetes and container deployments, according to a new survey from security company StackRox.
In the winter 2020 edition of its State of Container and Kubernetes Security Report, StackRox researchers found that 94% of respondents experienced a security incident in their Kubernetes and container environments during the last 12 months.
SEE: Kubernetes security guide (free PDF) (TechRepublic)
This very high number of security incidents led to about 44% of organizations delaying or outright halting application deployment into production.
Researchers spoke with more than 540 IT professionals, the majority of whom work for tech companies or organizations involved in financial services.
“Our survey data affirms what we hear anecdotally from customers, that security has become a high priority as customers seek to deploy containers and Kubernetes applications in production,” said Kamal Shah, CEO of StackRox.
“Organizations have executive buy in – the challenge is understanding the security and compliance requirements so that they can be addressed early in the application development life cycle and prevent delays to application deployment.”
Over the last five years, companies have been eager to incorporate containers, Kubernetes and microservices applications in an effort to promote enterprise IT innovation and boost digital transformation.
But nearly half of all respondents to the survey have had to delay an application rollout due to concerns about the security of containers or Kubernetes.
Of the 94% of respondents that acknowledged having security incidents, 69% said they experienced a misconfiguration incident and another 27% said they had a security incident during runtime. Nearly 25% reported having had a major vulnerability to remediate.
Exposures due to misconfigurations were considered the most pertinent security risk for their container and Kubernetes environments. More than 60% of respondents cited this as their main concern with another 27% telling StackRox researchers that vulnerabilities were also a big problem.
Misconfiguration incidents were particularly high because of how challenging it can be to find the kind of tech talent that can deal with the intricate knobs and dials in containers and Kubernetes.
Even seasoned developers have difficulties managing containers and Kubernetes, and many data breaches and exposures are caused by human error, the report said. More than 20% of enterprises experienced two or more types of security incidents.
“Companies understand they can’t realize the advantages of containers and Kubernetes without getting security right. To see such a large percentage – 44% – acknowledge they’ve slowed or halted application deployment into production due to security concerns means these companies are not achieving the primary advantage – faster app delivery – of moving to containers,” the report said.
“The findings in this survey of 541 respondents make clear that organizations are putting at risk the core benefit of faster application development and release by not ensuring their cloud-native assets are built, deployed, and running securely”.
“With the prevalence of misconfigurations across organizations, security must shift left to be embedded into DevOps workflows instead of ‘bolted on’ when the application is about to be deployed into production,” the report said. “With nearly half of our respondents delaying going into production because of security concerns, clearly a lack of security is inhibiting business acceleration and innovation.”
SEE: Deploying containers: Six critical concepts (free PDF) (TechRepublic Premium)
The study said that for the third time in a row, lackluster investment in security was the most common concern IT departments have about the strategy used for containers. Nearly 40% of respondents said inadequate investment was their main concern while another 14% said their organizations did not take threats to containers seriously. More than half of all respondents said security was their biggest source of concern.
In a sign that this problem was being addressed, StackRox researchers said there was a 35% drop in respondents saying their security strategy isn’t detailed enough. According to the study, the number of respondents with an intermediate or advanced strategy grew to 48% from 41%.
The survey also found that the most popular architectural model for deploying containers was hybrid because 46% of respondents said they were running it both on premises and in the cloud. More than 50% of survey respondents said they ran their containers on a single cloud platform while 35% ran theirs on multiple public clouds.
A race for the top
The leading container providers are Amazon Web Services, Microsoft Azure and Google Cloud Platform. Amazon is far outpacing the competition, with 78% of respondents saying they use AWS and just 39% deploying Microsoft’s. But the race between Microsoft and Google for second place is heating up.
“While Microsoft Azure remains in second place, Google Cloud Platform (GCP) has grown its third-place standing from 28% in spring 2019 to 35% today. That GCP rivals Azure so closely might not be surprising, since Google created Kubernetes before donating it to the Cloud Native Compute Foundation.
Also, Google Kubernetes Engine is one of the most feature-rich managed Kubernetes services in the market, especially in the area of cluster management – again, in large part due to Google’s deep experience orchestrating containers at scale,” the report said.
Kubernetes is also a dominating force in the market according to the survey’s findings. Nearly 90% of respondents are using Kubernetes for container orchestration, but the skills shortage is hampering the ability of organizations to fully deploy the environments.
DevOps departments were cited as the main group put in charge of managing container security at 81%, with another 51% reporting that security teams were also seen as most responsible for keeping containers safe. But the report said security required coordination between security departments, DevOps teams as well as developers.
“One of the most consistent results we get on our own surveys of DevOps and cloud-native security technologies is how important security is for those environments,” said Fernando Montenegro, principal analyst on the information security team at 451 Research.
“It is interesting to see how this observation fits well with the StackRox study, highlighting the need for both engineering and security professionals to properly deploy security controls and practices for containers and Kubernetes environments.”