Our latest edition of the State of Kubernetes security report analyzes emerging trends in container, Kubernetes, and cloud-native security. The report highlights the security challenges in cloud-native development and how organizations are addressing these challenges and protecting their applications. Based on survey results from more than 300 DevOps, engineering, and security professionals, this report uncovers new findings about companies that embrace containers and Kubernetes—and how they implement DevSecOps initiatives to protect their cloud-native environments.
- A majority of respondents have experienced a slowdown in application delivery due to unaddressed security concerns.
- Almost all respondents experienced at least one security incident in their Kubernetes environments in the last year, sometimes leading to revenue or customer loss.
- More than three-quarters of respondents have a DevSecOps initiative underway.
- Respondents worry about misconfigurations above all other security concerns.
- More than half of respondents said that they worry the most about the runtime phase of the container cycle.
- Red Hat® OpenShift® is the leader in hybrid cloud deployments.
55% have delayed or slowed down application deployment due to a security concern
More rapid release cycles, faster bug fixes, and greater flexibility to run and manage applications across hybrid environments are three of the most often cited benefits of containerization. However, when security becomes an afterthought, you may end up negating the greatest gain of containerization—agility. The majority of survey respondents (55%) have had to delay an application rollout because of security concerns over the last 12 months. New technologies often create unforseen security challenges. Some organizations are overwhelmed by security needs that stretch across all aspects of the application life cycle, from development through deployment and maintenance. They need a simplified way to protect their containerized applications without slowing development or increasing operational complexity.
Benchmark yourself against the findings in this report to determine how you can accelerate your efforts to apply security controls across containers and Kubernetes.
93% experienced at least one security incident in their Kubernetes environments in the last 12 months
A combination of factors are likely behind this result, including a lack of security knowledge about containers and Kubernetes, inadequate or unfit security tooling, and central security teams unable to keep up with fast-moving application development teams that view security an afterthought. As a consequence, 31% of respondents say they have experienced revenue or customer loss due to a security incident over the last 12 months.
Human error continues to lead the causes of data breaches. A recent study revealed that human error was a major contributing factor in 95% of breaches.1 Not surprisingly, nearly 53% of respondents have experienced a misconfiguration incident in their environments over the last 12 months.
78% have a DevSecOps initiative underway
A majority embraces DevSecOps—a term that encompasses the processes and tooling that allows security to be built into the application development life cycle, rather than as a separate process. Our survey found encouraging news—the vast majority of respondents say they have some form of DevSecOps initiative underway. Only 22% of respondents continue to operate DevOps separate from security. 27% of respondents count themselves among the most forward-looking organizations when it comes to DevSecOps, with an advanced DevSecOps initiative where they are integrating and automating security throughout the life cycle.
Misconfiguration is the top security concern (46%)
Kubernetes is a highly customizable container orchestrator, with various configuration options that affect an application’s security posture. Consequently, respondents worry the most about exposures due to misconfigurations in their container and Kubernetes environments (46%)—nearly three times the level of concern over attacks (16%), with vulnerabilities as the second leading cause of worry (28%).
The best way to address this challenge is to automate configuration management as much as possible, so that security tools—rather than humans—provide the guardrails that help developers and DevOps teams configure containers and Kubernetes more securely.
57% worry the most about the runtime phase of the container life cycle
Runtime—sometimes also known as Day 2 operations or the post-deployment stage—is the container life cycle phase that organizations worry about the most. This concern seems counterintuitive given that an overwhelming majority of respondents identify misconfigurations as the source of biggest security risk and have experienced a misconfiguration incident more often than any other type of security incident.
However, consider that runtime security issues are usually caused by security lapses—such as a misconfiguration—at build or deploy stage. Furthermore, any negative outcome of a security misstep at build or deploy stages is likely to be felt only once an application is running in production. Incident response, a key aspect of security, is also more complicated at runtime. Lastly, security issues discovered at runtime are likely to cost more to fix as well. All together, it makes heightened runtime security worries more understandable.
Red Hat OpenShift named as leader in hybrid cloud deployments
Hybrid cloud deployments were recognized as the most popular mode of running containerized applications at large organizations (with more than 1,000 employees). These hybrid models need consistent security and compliance no matter where workloads are deployed. Of the 42% of respondents using a hybrid cloud deployment model, half use Red Hat OpenShift to manage their containers and Kubernetes.