Container and Kubernetes Security Concerns are Inhibiting Business Innovation

Nearly half of all companies surveyed in a report have delayed moving an application into production because of concerns over security of containers or Kubernetes.

StackRox's State of Kubernetes and Container Security report incorporates input from more than 540 IT professionals, representing a much broader perspective than previous reports (390 in Spring 2019, 230 in Fall 2018). This edition also uncovered new findings about the impact that security concerns are having on companies embracing Kubernetes and containers.

Containers, Kubernetes, and microservices application patterns are three of the leading drivers of enterprise IT innovation and digital transformation, says the report. Companies have moved quickly to embrace these technologies for their advantages in application development and deployment, from faster development and deployment to quicker bug fixes and patches, leading to faster feature delivery that drives competitive differentiation.

"The latest edition of this report is our third time asking companies to comment on what aspects of their container strategy they’re most concerned with. Security has topped the list each time. We’re also not surprised because Kubernetes is complicated, and while containers and Kubernetes offer a lot of security advantages (declarative data, immutable infrastructure), getting the settings correct to protect the infrastructure is not intuitive," says Michelle McLean, Vice President of Product Marketing at StackRox."When you look at other feedback in the survey, particularly where people feel challenged with Kubernetes, you see that a skills gap and the steep learning curve top that list, which feeds into concerns about getting security correct. Plus, anecdotally, we see companies all the time who are at least partway down the path on their container and Kubernetes journey who feel like they have not yet taken the steps they need to have to secure this new cloud-native stack."

McLean notes that "companies face two main risks by not having tooling and processes in place for container security:"

The most obvious, of course, is exposure to a breach. The infrastructure has a lot of inherent security capabilities, but they are not enabled by default because containers and Kubernetes are – first and foremost – application development tools, and even when the CNCF releases updated versions with Kubernetes with more powerful security features, they’re off so that upgrading Kubernetes will not break any application functionality.
The second big risk, which our survey identified – and which, to be honest, we were surprised to see – is that companies will have to delay the roll out of Kubernetes applications until security can “catch up.” Nearly half (44 percent) of our respondents acknowledged delaying moving an application into production because of a lack of security. Slowing application releases compromises one of the key advantages – faster application iteration – of using this technology, so the sooner companies can get this cloud-native stack deployed, the sooner their business will reap the rewards.

Key findings in the report include:

Nearly all – 94 percent – of the respondents have experienced security incidents in their container environments in the past 12 months. Data breaches and exposures due to human error, such as misconfigured containers and Kubernetes deployments, have become alarmingly common. Among those reporting security incidents, the majority – 69 percent – experienced a misconfiguration incident, while 27 percent reported a security incident during runtime and 24 reported having had a major vulnerability to remediate (respondents could select as many responses as applied).

Exposures due to misconfigurations dwarf all other security concerns. In this third edition of the StackRox report, respondents once again identified exposures due to misconfigurations as the most worrisome security risk for their container and Kubernetes environments, with 61 percent citing this concern. Only 27 percent cited vulnerabilities as their main concern, and just 12 percent worry most about attacks at runtime. This data speaks to the importance of configuration management in securing container and Kubernetes environments – the flexibility of these powerful platforms brings its own challenges.

Managed Kubernetes services have enjoyed major growth. Of the respondents running containerized applications, Kubernetes is being used by 86 percent of them – the same as the Spring 2019 survey showed. However, the way Kubernetes is being used has changed dramatically. No longer is self-managed the most dominant way to run Kubernetes – 37 percent of respondents cited using Amazon EKS compared to 35 percent managing Kubernetes themselves, down from 44 percent in Spring 2019. Use of both Azure AKS and Google GKE also climbed, with each cited by 21 percent of respondents.

Hybrid deployments dropped while cloud-only environments grew. Hybrid deployments remain more popular than cloud-only deployments, at 46 percent compared to 40 percent. But hybrid deployments saw a big drop from our survey six months ago, when they represented 53 percent of respondents. Of the cloud-only deployments, multi-cloud gained steam, increasing from 9 percent to 13 percent, but single-cloud use still dominates, at 27 percent for cloud only plus another 24 percent running on prem and in a single cloud provider. On-prem-only deployments have fallen dramatically since the first survey in Fall 2018, from 31 percent to just 14 percent today.

Skill shortages and a steep learning curve present the biggest Kubernetes challenges. Knowledge of Kubernetes is impacting more than 60 percent of respondents, with 33 percent citing an internal skills gap and another 28 percent identifying the steep learning curve as the most significant Kubernetes challenge their organization is facing. Only 15 percent cited executive understanding as their main difficulty, indicating that the business side of organizations understands and has bought into the benefits of Kubernetes.

Other key survey findings:

For the third time in a row, security leads the list of top concerns users have about container strategies.
Container security strategies continue to mature, with the percentage of respondents who lacked any form of security strategy dropping 68 percent, from 19 percent to just 6.
Despite misconfigurations topping the list of concerns and incidents, respondents remain most concerned about the runtime phase of the container life cycle (56 percent) vs. build and deploy.
The percentage of organizations with fewer than 10 percent of their containers running in production fell from 39 percent to 28 percent.

“Our survey data affirms what we hear anecdotally from customers, that security has become a high priority as customers seek to deploy containers and Kubernetes applications in production,” said Kamal Shah, CEO of StackRox. “Organizations have executive buy in – the challenge is understanding the security and compliance requirements so that they can be addressed early in the application development life cycle and prevent delays to application deployment.”

For the full report, visit StackRox.com

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.