Twice each year for its State of Kubernetes Security report, StackRox examines how companies are adopting Kubernetes, containers and cloud-native technologies while meeting the challenges of securing these environments.
Prior to being acquired by Red Hat, StackRox surveyed more than 500 DevOps, engineering and security professionals for the summer 2021 report, uncovering new findings about what keeps IT leaders up at night when it comes to containers and how organizations are embracing DevSecOps initiatives to protect their cloud-native environments. The full report is available here and we’ve highlighted some of the key findings below.
Concerns remain - and are slowing down innovation
Despite growing adoption, security remains the top concern when it comes to containers and Kubernetes. This doesn’t come as much of a surprise considering 94% of respondents stated they have experienced a security incident in their Kubernetes and container environments during the last 12 months. And more than half of respondents (55%) have needed to delay deploying Kubernetes applications into production due to security.
Human error is the most often cited cause of data breaches and hacks - with nearly 60% of respondents stating they have experienced a misconfiguration incident in their environments over the last 12 months. Nearly a third have discovered a major vulnerability, and another third said they’ve suffered a runtime security incident. Not only are misconfigurations most common, but are also what survey respondents worry about the most, with 47% citing worries about exposures due to misconfigurations in their container and Kubernetes environments - which is almost four times the level of concern over attacks (13%).
Configuration management poses a difficult challenge for security practitioners. While a host of tools are available for vulnerability scanning of container images, configuration management requires more consideration. The best way to address this challenge is to automate configuration management as much as possible, so that security tools - rather than humans - provide the guardrails that help developers and DevOps teams configure containers and Kubernetes securely.
The need for shifting left
The survey results also highlight the importance of collaboration across development, IT operations and security teams to implement security early in the development lifecycle to realize the greatest benefit of Kubernetes—innovating fast.
Across various roles, DevOps is the single role most cited as responsible for securing containers and Kubernetes. Echoing the need for security to shift left, 15% of respondents consider developers as the primary owners of Kubernetes security, with only 18% identifying security teams as being most responsible.
This distribution shows that when it comes to container and Kubernetes security, it takes a village. Traditionally, security has been the central control point for enforcing security and compliance policies. Containers and Kubernetes adoption are often primarily driven by DevOps, so it’s not surprising to see respondents naming them responsible for securing these technologies. To bridge these gaps, container and Kubernetes security tooling must facilitate close collaboration among different teams - from Developers to DevOps to Ops to Security - instead of perpetuating the silos that may plague organizations.
We also found that DevSecOps is no longer just a buzzword. The term, which encompasses the processes and tooling that allows security to be built into the application development life cycle, rather than as an afterthought, is being put into action. The survey found the vast majority of respondents reporting that they have some form of DevSecOps initiative underway. Only 26% of respondents continue to operate DevOps separate from Security.
Investing in security
Organizations are eagerly adopting containers and Kubernetes, however if they don’t make the necessary investments in security strategies and tooling simultaneously, they risk the security of their critical applications and may need to delay application rollout. Inadequate investment in security is the top-cited concern about the respondent company’s container strategy.
The good news is, the percentage of respondents with at least a basic Kubernetes security strategy is at 67%. Even more notable is the percentage of respondents who lack a security strategy entirely; that number is just 7%. While this data is promising, it shows that while security strategies are maturing, organizations still need to make further investments in their plans so they can adequately address container security and compliance needs.
By integrating Kubernetes-native security, organizations can leverage the rich declarative data and native controls in Kubernetes for key security benefits. Analyzing the declarative data available in Kubernetes can yield better security, with risk-based insights into configuration management, compliance, segmentation, and Kubernetes-specific vulnerabilities. Not just that, but using the same infrastructure and its controls for application development and security helps reduce the learning curve and enables faster analysis and troubleshooting.
執筆者紹介
Red Hat is the world’s leading provider of enterprise open source software solutions, using a community-powered approach to deliver reliable and high-performing Linux, hybrid cloud, container, and Kubernetes technologies.
Red Hat helps customers integrate new and existing IT applications, develop cloud-native applications, standardize on our industry-leading operating system, and automate, secure, and manage complex environments. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. As a strategic partner to cloud providers, system integrators, application vendors, customers, and open source communities, Red Hat can help organizations prepare for the digital future.
チャンネル別に見る
自動化
テクノロジー、チームおよび環境に関する IT 自動化の最新情報
AI (人工知能)
お客様が AI ワークロードをどこでも自由に実行することを可能にするプラットフォームについてのアップデート
オープン・ハイブリッドクラウド
ハイブリッドクラウドで柔軟に未来を築く方法をご確認ください。
セキュリティ
環境やテクノロジー全体に及ぶリスクを軽減する方法に関する最新情報
エッジコンピューティング
エッジでの運用を単純化するプラットフォームのアップデート
インフラストラクチャ
世界有数のエンタープライズ向け Linux プラットフォームの最新情報
アプリケーション
アプリケーションの最も困難な課題に対する Red Hat ソリューションの詳細
オリジナル番組
エンタープライズ向けテクノロジーのメーカーやリーダーによるストーリー
製品
ツール
試用、購入、販売
コミュニケーション
Red Hat について
エンタープライズ・オープンソース・ソリューションのプロバイダーとして世界をリードする Red Hat は、Linux、クラウド、コンテナ、Kubernetes などのテクノロジーを提供しています。Red Hat は強化されたソリューションを提供し、コアデータセンターからネットワークエッジまで、企業が複数のプラットフォームおよび環境間で容易に運用できるようにしています。
言語を選択してください
Red Hat legal and privacy links
- Red Hat について
- 採用情報
- イベント
- 各国のオフィス
- Red Hat へのお問い合わせ
- Red Hat ブログ
- ダイバーシティ、エクイティ、およびインクルージョン
- Cool Stuff Store
- Red Hat Summit