Kubernetes adoption, security, and market trends report 2022

Our latest edition of the State of Kubernetes security report analyzes emerging trends in container, Kubernetes, and cloud-native security. The report highlights the security challenges in cloud-native development and how organizations are addressing these challenges and protecting their applications. Based on survey results from more than 300 DevOps, engineering, and security professionals, this report uncovers new findings about companies that embrace containers and Kubernetes—and how they implement DevSecOps initiatives to protect their cloud-native environments. 

More rapid release cycles, faster bug fixes, and greater flexibility to run and manage applications across hybrid environments are three of the most often cited benefits of containerization. However, when security becomes an afterthought, you may end up negating the greatest gain of containerization—agility. The majority of survey respondents (55%) have had to delay an application rollout because of security concerns over the last 12 months. New technologies often create unforseen security challenges. Some organizations are overwhelmed by security needs that stretch across all aspects of the application life cycle, from development through deployment and maintenance. They need a simplified way to protect their containerized applications without slowing development or increasing operational complexity. 

A combination of factors are likely behind this result, including a lack of security knowledge about containers and Kubernetes, inadequate or unfit security tooling, and central security teams unable to keep up with fast-moving application development teams that view security an afterthought. As a consequence, 31% of respondents say they have experienced revenue or customer loss due to a security incident over the last 12 months.

Human error continues to lead the causes of data breaches. A recent study revealed that human error was a major contributing factor in 95% of breaches.¹ Not surprisingly, nearly 53% of respondents have experienced a misconfiguration incident in their environments over the last 12 months. 

A majority embraces DevSecOps—a term that encompasses the processes and tooling that allows security to be built into the application development life cycle, rather than as a separate process. Our survey found encouraging news—the vast majority of respondents say they have some form of DevSecOps initiative underway. Only 22% of respondents continue to operate DevOps separate from security. 27% of respondents count themselves among the most forward-looking organizations when it comes to DevSecOps, with an advanced DevSecOps initiative where they are integrating and automating security throughout the life cycle.

Kubernetes is a highly customizable container orchestrator, with various configuration options that affect an application’s security posture. Consequently, respondents worry the most about exposures due to misconfigurations in their container and Kubernetes environments (46%)—nearly three times the level of concern over attacks (16%), with vulnerabilities as the second leading cause of worry (28%). 

The best way to address this challenge is to automate configuration management as much as possible, so that security tools—rather than humans—provide the guardrails that help developers and DevOps teams configure containers and Kubernetes more securely.

Runtime—sometimes also known as Day 2 operations or the post-deployment stage—is the container life cycle phase that organizations worry about the most. This concern seems counterintuitive given that an overwhelming majority of respondents identify misconfigurations as the source of biggest security risk and have experienced a misconfiguration incident more often than any other type of security incident.

However, consider that runtime security issues are usually caused by security lapses—such as a misconfiguration—at build or deploy stage. Furthermore, any negative outcome of a security misstep at build or deploy stages is likely to be felt only once an application is running in production. Incident response, a key aspect of security, is also more complicated at runtime. Lastly, security issues discovered at runtime are likely to cost more to fix as well. All together, it makes heightened runtime security worries more understandable.

Hybrid cloud deployments were recognized as the most popular mode of running containerized applications at large organizations (with more than 1,000 employees). These hybrid models need consistent security and compliance no matter where workloads are deployed. Of the 42% of respondents using a hybrid cloud deployment model, half use Red Hat OpenShift to manage their containers and Kubernetes.

Get the full survey results and key takeaways for your container and Kubernetes security journey.