The State of Kubernetes Security

Twice each year for its State of Kubernetes Security report, StackRox examines how companies are adopting Kubernetes, containers and cloud-native technologies while meeting the challenges of securing these environments. 

Prior to being acquired by Red Hat, StackRox surveyed more than 500 DevOps, engineering and security professionals for the summer 2021 report, uncovering new findings about what keeps IT leaders up at night when it comes to containers and how organizations are embracing DevSecOps initiatives to protect their cloud-native environments. The full report is available here and we’ve highlighted some of the key findings below.

Concerns remain - and are slowing down innovation
Despite growing adoption, security remains the top concern when it comes to containers and Kubernetes. This doesn’t come as much of a surprise considering 94% of respondents stated they have experienced a security incident in their Kubernetes and container environments during the last 12 months. And more than half of respondents (55%) have needed to delay deploying Kubernetes applications into production due to security. 

Human error is the most often cited cause of data breaches and hacks - with nearly 60% of respondents stating they have experienced a misconfiguration incident in their environments over the last 12 months. Nearly a third have discovered a major vulnerability, and another third said they’ve suffered a runtime security incident. Not only are misconfigurations most common, but are also what survey respondents worry about the most, with 47% citing worries about exposures due to misconfigurations in their container and Kubernetes environments - which is almost four times the level of concern over attacks (13%).

Configuration management poses a difficult challenge for security practitioners. While a host of tools are available for vulnerability scanning of container images, configuration management requires more consideration. The best way to address this challenge is to automate configuration management as much as possible, so that security tools - rather than humans - provide the guardrails that help developers and DevOps teams configure containers and Kubernetes securely.

The need for shifting left
The survey results also highlight the importance of collaboration across development, IT operations and security teams to implement security early in the development lifecycle to realize the greatest benefit of Kubernetes—innovating fast. 

Across various roles, DevOps is the single role most cited as responsible for securing containers and Kubernetes. Echoing the need for security to shift left, 15% of respondents consider developers as the primary owners of Kubernetes security, with only 18% identifying security teams as being most responsible. 

This distribution shows that when it comes to container and Kubernetes security, it takes a village. Traditionally, security has been the central control point for enforcing security and compliance policies. Containers and Kubernetes adoption are often primarily driven by DevOps, so it’s not surprising to see respondents naming them responsible for securing these  technologies. To bridge these gaps, container and Kubernetes security tooling must facilitate close collaboration among different teams - from Developers to DevOps to Ops to Security - instead of perpetuating the silos that may plague organizations.

We also found that DevSecOps is no longer just a buzzword. The term, which encompasses the processes and tooling that allows security to be built into the application development life cycle, rather than as an afterthought, is being put into action. The survey found the vast majority of respondents reporting that they have some form of DevSecOps initiative underway. Only 26% of respondents continue to operate DevOps separate from Security.

Investing in security
Organizations are eagerly adopting containers and Kubernetes, however if they don’t make the necessary investments in security strategies and tooling simultaneously, they risk the security of their critical applications and may need to delay application rollout. Inadequate investment in security is the top-cited concern about the respondent company’s container strategy. 

The good news is, the percentage of respondents with at least a basic Kubernetes security strategy is at 67%. Even more notable is the percentage of respondents who lack a security strategy entirely; that number is just 7%. While this data is promising, it shows that while security strategies are maturing, organizations still need to make further investments in their plans so they can adequately address container security and compliance needs.

By integrating Kubernetes-native security, organizations can leverage the rich declarative data and native controls in Kubernetes for key security benefits. Analyzing the declarative data available in Kubernetes can yield better security, with risk-based insights into configuration management, compliance, segmentation, and Kubernetes-specific vulnerabilities. Not just that, but using the same infrastructure and its controls for application development and security helps reduce the learning curve and enables faster analysis and troubleshooting.