Security concerns are impeding the flow of containers through the CI/CD pipeline according to Red Hat’s recently released State of Kubernetes Security Report. Over half of the IT professionals surveyed for the report said they've delayed or slowed down container production because of concerns about container or Kubernetes security issues.
Also notable: nearly all respondents said they had at least one security incident in their Kubernetes environments in the last twelve months.
The Kubernetes Security Report is a semi-annual report, initially conducted by container security company StackRox before being purchased by Red Hat earlier this year. Although the report was released by Red Hat, this Spring 2021 report is based on information gathered before the purchase, with Red Hat indicating it will continue to conduct the poll.
The report tallies the answers from more than 500 DevOps, engineering and security professionals from a wide range of industries, topped by education, entertainment and financial services. The majority said they work in product development/engineering, on the operations side of DevOps or as security professionals.
A full quarter of the companies represented are small, with fewer than 100 employees, while 21% said they work for companies employing 10,000 or more.
A Snapshot of Kubernetes Security
Nearly everyone (94%) said they had experienced Kubernetes security issues or incidents related to containers and/or Kubernetes during the preceding year. Only a small percentage of these were actual intrusions, but were delays primarily prompted by caution. The majority were caused by a detected misconfiguration (59%), a major vulnerability to patch or fix (31%) or a failed audit (20%). The bad news is that 32% suffered a security incident during runtime.
"Human error is the most-often-cited cause of data breaches and hacks," Red Hat noted in the State of Kubernetes Security report. "Kubernetes and containers, while powerful, increase this risk substantially."
"A single workload may require significant configuration to ensure a more secure and scalable application," the report noted. "Add on technical debt and organizational hurdles, and it is a challenge even for experienced Kubernetes professionals to get everything right all the time."
Unsurprisingly, a majority (54%) have delayed or slowed down application deployment into production due to container or Kubernetes security issues. Additionally, these IT professionals are working to educate their workplaces on the security risks associated with containers. When asked to describe the security strategy for their company’s container and Kubernetes' environments, only 11% indicated an advanced strategy, with nearly a third saying the strategy was either nonexistent (7%) or in a planning stage (26%). Over half said their security strategy was basic (30%) or intermediate (26%), the latter meaning falling somewhere between basic and advanced.
While the report's authors found this data to be "promising," they added that it "shows that while security strategies are maturing, organizations still need to make further investments in their plans so they can adequately address container security and compliance needs."
The survey indicates that more than a quarter of organizations make container security the responsibility of DevOps (27%), followed by ops (21%); DevSecOps (18%); Security, which includes cloud security, security engineering, and infosec (18%); and developers (15%).
"Across various roles, DevOps is the single role most cited as responsible for securing containers and Kubernetes," the State of Kubernetes Security report pointed out. "Taken together, the myriad operational roles of DevOps, ops and DevSecOps are considered the primary owners of Kubernetes security by a whopping 66% of respondents."
The move for better container and Kubernetes security is in the right direction, however. The survey found that only 26% of organizations continue to keep DevOps and security separate with minimal collaboration. The remaining 74% are either in transition, with DevOps and security teams collaborating on certain projects (49%) or organizations having fully adopted the DevSecOps approach of integrating and automating security (25%).
Other Than Container Security...
Kubernetes security issues weren't all that the report touched upon. According to the survey, OpenShift Kubernetes platform is the most used way of running Kubernetes on hybrid or multi-cloud infrastructures, with hybrid cloud solutions from Amazon Web Services, Microsoft Azure and Google Cloud Platform following. Other than Red Hat, the only other Kubernetes software vendor on this list is VMware Tanzu, which was tied with "other" in this "choose all that apply" category.
Red Hat's and VMware's showing here somewhat agrees with data recently supplied to ITPro Today from research group Omdia, which said that Red Hat dominates the container software market, followed by Mirantis's Docker-based platform, VMware, SUSE/Rancher and Canonical.
OpenShift dropped to third place with 33%, however, when respondents were asked another "choose all that apply" question: "What Kubernetes platform do you use to orchestrate your containers?" Topping that list was Amazon EKS (51%), followed by self-managed Kubernetes with 35%. Interestingly, SUSE/Rancher (11%) was ahead of VMware Tanzu (6%) for this question.
The survey also indicates that the Docker Runtime Engine remains the most used runtime (85%), with containerd far behind (27%).