Kubernetes Security Challenged By Skill Shortages & Misconfigs
February 24, 2020
released the Winter 2020 edition of its State of Container and
Kubernetes Security Report. Among its findings, the survey revealed that
container security concerns have inhibited business innovation with
nearly half (44 percent) of respondents delaying the deployment of
cloud-native applications into production. These delays compromise the
biggest benefit respondents cite as driving the movement to
microservices and containers – the ability to develop and release
Data breaches and exposures due to
human error, such as misconfigured containers and Kubernetes
deployments, have become alarmingly common. Among those reporting
security incidents, the majority – 69 percent – experienced a
misconfiguration incident, while 27 percent reported a security incident
during runtime and 24 reported having had a major vulnerability to
remediate (respondents could select as many responses as applied).
In this third edition of the StackRox
report, respondents once again identified exposures due to
misconfigurations as the most worrisome security risk for their
container and Kubernetes environments, with 61 percent citing this
concern. Only 27 percent cited vulnerabilities as their main concern,
and just 12 percent worry most about attacks at runtime. This data
speaks to the importance of configuration management in securing
container and Kubernetes environments – the flexibility of these
powerful platforms brings its own challenges.
Of the respondents running
containerized applications, Kubernetes is being used by 86 percent – the
same as the Spring 2019 survey showed. However, the way Kubernetes is
being used has changed dramatically. No longer is self-managed the most
dominant way to run Kubernetes – 37 percent of respondents cited using
Amazon EKS compared to 35 percent managing Kubernetes themselves, down
from 44 percent in Spring 2019. Use of both Azure AKS and Google GKE
also climbed, with each cited by 21 percent of respondents.
Hybrid deployments remain more
popular than cloud-only deployments, at 46 percent compared to 40
percent. But hybrid deployments saw a big drop from our survey six
months ago, when they represented 53 percent of respondents. Of the
cloud-only deployments, multi-cloud gained steam, increasing from 9
percent to 13 percent, but single-cloud use still dominates, at 27
percent for cloud only plus another 24 percent running on prem and in a
single cloud provider. On-prem-only deployments have fallen dramatically
since the first survey in Fall 2018, from 31 percent to just 14 percent
Knowledge of Kubernetes is impacting
more than 60 percent of respondents, with 33 percent citing an internal
skills gap and another 28 percent identifying the steep learning curve
as the most significant Kubernetes challenge their organization is
facing. Only 15 percent cited executive understanding as their main
difficulty, indicating that the business side of organizations
understands and has bought into the benefits of Kubernetes.
the third time in a row, security leads the list of top concerns users
have about container strategies.
Despite misconfigurations topping the list of concerns and incidents, respondents remain most concerned about the runtime phase of the container life cycle (56 percent) vs. build and deploy.
The percentage of organizations with fewer than 10 percent of their containers running in production fell from 39 percent to 28 percent.
“Our survey data affirms what we hear
anecdotally from customers, that security has become a high priority as
customers seek to deploy containers and Kubernetes applications in
production,” said Kamal Shah, CEO of StackRox. “Organizations have
executive buy in – the challenge is understanding the security and
compliance requirements so that they can be addressed early in the
application development life cycle and prevent delays to application
StackRox surveyed more than 540 IT professionals for this third version of its industry-first report. Roughly 25 percent of respondents serve in security or compliance roles, 20 percent in operations, and 45 percent in product development and engineering roles. Nearly half of the respondents report working in large companies of more than 5,000 employees. In this edition, respondents from high-tech and financial services companies dominated the survey.