Kubernetes is the de facto standard when it comes to container orchestration and management at scale, but adoption is only one piece of Kubernetes strategy. Security plays a huge role in how organizations use cloud-native technologies, and is typically much trickier to address than simply spinning up and running containers. Red Hat’s The State of Kubernetes Security for 2022 examines the security challenges organizations face when it comes to cloud-native development and how they address these challenges to protect their applications and IT environments.
The report is based on surveys of more than 300 DevOps, engineering and security professionals, highlighting how companies are adopting containers and Kubernetes while still balancing the security of these environments. While the full report is available here, read on to see some of the key findings from this year’s data.
Security concerns linger - and are causing delays
Similar to previous years, security remains one of the biggest concerns around container adoption. New technologies can create unforeseen security challenges when integrated with traditional IT environments, and containers present particular complexities given that their security needs stretch across all aspects of the application lifecycle, from development through deployment and maintenance. The report found that concerns around security threats to containers and a lack of investment in container security is the number-one most common concern with container strategies for 31% of respondents.
Backing these concerns are the 93% of respondents who experienced at least one security incident in their Kubernetes environments in the last 12 months, with the incident sometimes leading to revenue or customer loss. More than half of respondents (55%) also have had to delay an application rollout because of security concerns over the past year.
Despite extensive media attention over cyberattacks, the report highlights that it’s actually misconfigurations that keep IT professionals up at night. Kubernetes is highly customizable, with various configuration options that can affect an application’s security posture. Consequently, respondents worry the most about exposures due to misconfigurations in their container and Kubernetes environments (46%) – nearly three times the level of concern over attacks (16%). Automating configuration management as much as possible helps to alleviate these issues, so that security tools - rather than humans - provide the guardrails that help developers and DevOps teams configure containers and Kubernetes more securely.
DevSecOps has become the standard
Less than two years ago, our Fall 2020 report found that 40% of respondents were starting to have DevOps and Security teams collaborate on joint policies and workflows. Over the past two years that number has increased considerably, with DevSecOps now quickly becoming the standard for surveyed organizations. A vast majority of this year’s respondents (78%) stated they have a DevSecOps initiative in either beginning or advanced stages. And 27% of respondents count themselves among the most forward-looking organizations when it comes to DevSecOps, with an advanced DevSecOps initiative, where they are integrating and automating security throughout application lifecycles.
Collaboration across Dev, Ops, and Security teams to implement security early in the development lifecycle helps realize the greatest benefit of Kubernetes—innovating fast. In the past, the role of security was isolated to a specific team in the final stage of development. That wasn’t as problematic when development cycles lasted months or even years. With today’s rapid release cycles, security must shift left and be embedded into DevOps workflows instead of "bolted on" when the application is about to be deployed into production.
The good news is, this seems to be resonating with respondents. Besides the high number who are implementing DevSecOps, only 22% of respondents reported that they continue to operate DevOps separate from Security. And only 16% of respondents identify the central IT security team to hold responsibility for Kubernetes security.
Achieving better security through DevSecOps
Security has long been viewed as a business inhibitor, especially by developers and DevOps teams whose primary goal is to deliver code fast. With containers and Kubernetes, security should become a business accelerator by helping developers build stronger security controls into their applications right from the start.
Despite potential security concerns, the benefits of container and Kubernetes adoption continue to outweigh the drawbacks. The key is to look for a container and Kubernetes security platform that incorporates DevOps best practices and internal controls as part of its configuration checks. It should also assess the configuration of Kubernetes itself for its security posture, so developers can focus on feature delivery.
To see more about the findings as well as read four tips for achieving better security, the full report can be found here.
About the author
Ajmal Kohgadai is Principal Product Marketing Manager for Red Hat Advanced Cluster Security for Kubernetes. Prior to its acquisition by Red Hat, he was the Director of Product Marketing and Growth at StackRox, a leading Kubernetes security company.