Transcription
E-bookState of KubernetesSecurity Report20211
E-bookExecutive SummaryThis edition of the State of Kubernetes Security Report examines how companies are adopting Kubernetes,containers, and cloud-native technologies while meeting the challenges of securing their vital Kubernetesapplications. This report compiles the survey results from more than 500 DevOps, engineering, and securityprofessionals and uncovers new findings about how companies that embrace containers and Kubernetesimplement DevSecOps initiatives to protect their cloud-native environments. The survey was conducted byStackRox before its acquisition by Red Hat in early 2021.Because security as the biggest area of concern withcontainer adoption and security issues continue to causedelays in deploying applications into production, we alsolook at the most common types of security incidents thatcompanies experience in their Kubernetes environments.The survey results highlight the importance of collaborationacross Dev, Ops, and Security teams to implement securityearly in the development life cycle to realize the greatestbenefit of Kubernetes—innovating fast. We are heartenedto see so many organizations adopting DevSecOps—75% oforganizations have initiatives in place that increasecollaboration between DevOps and Security teams.We encourage you to benchmark yourself against thefindings in this report to determine how you can accelerateyour efforts to apply security controls across containersand Kubernetes. Delaying security could mean delayinginnovation and putting the business benefits ofKubernetes at risk. There are many security advantagesyou can use in containers and Kubernetes—fromdeclarative configuration and immutable infrastructure tothe isolation inherent in containerized applications.Organizations, however, need the knowledge, tooling, andprocesses to put those capabilities to work so they canbenefit from the sizable advantages of running fast in aDevOps-driven, cloud-native world.Nearly everyone—94% of respondents—admitted toexperiencing a security incident in the last 12 months. Inmany cases, the cause was a misconfiguration. But a sizableportion also identified a major vulnerability, experienced aruntime incident, or failed an audit. These findings becomemore critical when respondents have deployed theirKubernetes workloads in production environments.2
E-bookSecurity concerns are slowing down innovationMore than half of respondents have delayed deploying Kubernetesapplications into production due to securityCompanies are rapidly adopting Kubernetes andcontainers to fuel the growth engine for their digitalinnovation and transformation. A slew of new companies—born in the cloud—rely on this tech stack to fuel theirgrowth, while incumbents are migrating their existingworkloads to containers and Kubernetes across hybridcloud environments.Have you ever delayed or slowed down applicationdeployment into production due to container orKubernetes security concerns?Rapid application development and release, swift bugfixes, and increased feature velocity are three of themost often cited benefits of containerization. However,when security becomes an afterthought, you might endup negating the greatest gain of containerization—agility.More than half of the survey respondents (55%) havehad to delay an application rollout because of securityconcerns. Rolling out an application that hasn’t passed asecurity assessment puts the business at significant risk.To prevent delays in application deployment and realizethe benefits of containers and Kubernetes, organizationsmust shift left with security, building it into thedevelopment phase so they can address as many securitychallenges as possible during the build stage.3
E-book94% of respondents experienced at leastone security incident in their Kubernetesenvironments in the last 12 monthsMisconfiguration is the leading cause of security incidents, by a wide marginA whopping 94% of survey respondents have experienceda security incident in their Kubernetes and containerenvironments during the last 12 months.In the past 12 months, what security incidents orissues related to containers and/or Kuberneteshave you experienced?The fact that nearly everyone has had a security problemmay help explain the previous finding, that over half oforganizations have delayed an application deploymentover security concerns.Human error is the most often cited cause of data breachesand hacks. Kubernetes and containers, while powerful,increase this risk substantially. Kubernetes has powerfulfunctionality applied through a declarative model. A singleworkload may require significant configuration to ensurea more secure and scalable application. Add on technicaldebt and organizational hurdles, and it is a challenge evenfor experienced Kubernetes professionals to get everythingright all the time.Not surprisingly, nearly 60% of respondents haveexperienced a misconfiguration incident in theirenvironments over the last 12 months. Nearly a third havediscovered a major vulnerability, and another third saidthey’ve suffered a runtime security incident. Lastly, 20%said they had failed an audit.4
E-bookSecurity tops the list of concernswith container strategies59% of respondents are most worried about unaddressedsecurity and compliance needs or threats to containersGiven what we know about the prevalence of securityincidents in these environments (94%), it should come asno surprise that security remains the top concern when itcomes to container adoption.What is your biggest concern about yourcompany’s container strategy?Inadequate investment in security is the top-cited concernabout the respondent company’s container strategy(29%). When combined with not taking threats seriously(16%) and not accounting for compliance needs (14%),nearly two-thirds of respondents identify security andcompliance as their biggest source of concern.Organizations are eagerly adopting containers andKubernetes. If they don’t make the necessary investmentsin security strategies and tooling simultaneously, they riskthe security of their critical applications and may need todelay application rollout.5
E-bookMajority has moved past the planning stageof their container security strategiesMore than a third have an intermediate or advanced security strategyWith growing container adoption, organizations continueto advance their container and Kubernetes securitystrategies. The percentage of respondents with at leasta basic Kubernetes security strategy is at 67%. Evenmore notable is the percentage of respondents who lack asecurity strategy entirely; that number is just 7%.How would you describe the security strategy for yourcompany’s container and Kubernetes environments?While this data is promising, the previous finding—quantifying the ongoing security concerns aboutcontainer strategies—shows that while security strategiesare maturing, organizations still need to make furtherinvestments in their plans so they can adequately addresscontainer security and compliance needs.6
E-bookResponsibility for Kubernetes securityis highly decentralizedAcross various roles, DevOps is considered most responsible for securityAcross various roles, DevOps is the single role most citedas responsible for securing containers and Kubernetes.Taken together, the myriad operational roles of DevOps,Ops, and DevSecOps are considered the primary owners ofKubernetes security by a whopping 66% of respondents.What role at your organization is most responsiblefor container and Kubernetes security?Echoing the need for security to shift left, 15% ofrespondents consider developers as the primary ownersof Kubernetes security, with only 18% identifying securityteams as being most responsible.This distribution shows that when it comes to containerand Kubernetes security, it takes a village. Traditionally,Security has been the central control point for enforcingsecurity and compliance policies. Containers andKubernetes adoption are often primarily driven by DevOps,so it’s not surprising to see respondents naming themresponsible for securing these technologies. To bridgethese gaps, container and Kubernetes security tooling mustfacilitate close collaboration among different teams—fromDevelopers to DevOps to Ops to Security—instead ofperpetuating the barriers that may plague organizations.7
E-bookMost organizations have a DevSecOps initiativeOnly 26% of respondents say DevOps and Security remain separateDevSecOps is no longer just a buzzword—the termencompasses the processes and tooling that allows securityto be built into the application development life cycle,rather than as an afterthought. Our survey found goodnews on this front—the vast majority of respondents saythey have some form of DevSecOps initiative underway.Only 26% of respondents continue to operate DevOpsseparate from Security.Even more promising is that 25% of respondents have anadvanced DevSecOps initiative, where they’re integratingand automating security throughout the life cycle.Do you have a DevSecOps initiative inyour organization?8
E-bookMisconfigurations pose the greatestsecurity concern for respondentsPrevalence of misconfigurations underscores the needfor automating configuration managementSurvey respondents worry the most about exposures dueto misconfigurations in their container and Kubernetesenvironments (47%)—almost four times the level ofconcern over attacks (13%), with vulnerabilities as thesecond leading cause of worry (31%).Of the following risks, which one are youmost worried about for your container andKubernetes environments?Configuration management poses a uniquely difficultchallenge for security practitioners. While a host of toolsare available for vulnerability scanning of container images,configuration management requires more consideration.People may know that they should avoid deploying theKubernetes dashboard, but configuring a pod’s securitycontext or implementing Kubernetes role-based accesscontrol (RBAC) are just two examples of more challengingsettings that teams need to get right.The best way to address this challenge is to automateconfiguration management as much as possible, so thatsecurity tools—rather than humans—provide the guardrailsthat help developers and DevOps teams configurecontainers and Kubernetes securely.9
E-bookRespondents worry the most about theruntime phase of the container life cycleNearly half of respondents are most worried about the runtimephase, underscoring the importance of runtime controlsRuntime is the container life-cycle phase that organizationsworry about the most. At first glance, this finding is counterto our previous finding, given that an overwhelmingmajority of respondents identify misconfigurations as thesource of biggest security risk, and have experienced amisconfiguration incident more often than any other typeof security incident.Which life-cycle phase are you more worried aboutfrom a security perspective?However, the data makes more sense when you considerthat runtime security issues are usually caused by securitylapses, such as a misconfiguration, at build or deploystage. Furthermore, any negative outcome of a securitymisstep at build or deploy stages is likely to be felt onlyonce an application is running in production.10
E-bookHybrid cloud deployment strategiesare the most common47% of respondents deploy containers across a hybrid cloudmodel while 28% have selected a cloud-only strategyTalk of cloud-only strategies runs high, but actualdeployments on one or multiple cloud providers only stilllags hybrid cloud deployments—47% of respondents runtheir containers in a hybrid setting vs. 28% who run onlyin public cloud.Where do you have containers running?When isolating on-premise-only container deployments,the delta still remains, with 26% running containerizedapplications in their own data centers only.With hybrid models continuing to be the dominantapproach, organizations need security that runs the sameway no matter where workloads are deployed. Securityapproaches that are Kubernetes-native can deliverenvironment-agnostic controls that span on-premise tocloud deployments.11
E-bookRed Hat OpenShift is the leader inhybrid cloud deployments37% of respondents have standardized on OpenShift, withAWS Outposts and Azure Arc rounding out the top threeWith hybrid cloud deployments the most popular mode ofrunning containerized applications, we wanted to understandhow organizations were deploying in hybrid mode.Are you using any solutions for hybrid andmulticloud Kubernetes deployments?The popularity of technologies from the public cloudproviders follows a similar arc of overall platformpopularity. However, they all lag behind Red Hat OpenShift , according to our survey.The hybrid offerings from VMware and Oracle lagbehind their peers, with 13% and 4% of respondentsusing them respectively.12
E-bookAs the de facto container orchestrator,Kubernetes is used by nearly everyone88% of respondents use Kubernetes as their container orchestrator, with 74% in productionOur survey results indicate widespread customer adoptionof Kubernetes (87%), especially in production environments(75%). But how they’re deploying Kubernetes continues tochange dramatically.What Kubernetes platform do you use toorchestrate your containers?Amazon’s EKS is the most widely used Kubernetesplatform according to respondents (51%). Self-managedKubernetes—somewhat surprisingly—is the secondmost commonly selected platform (35%), with Red HatOpenShift coming in at a close third (33%). Microsoft’sAKS and Google’s GKE are neck and neck, with Azureholding a slight advantage.Are you usingKubernetes for containerorchestration?If you’re using Kubernetes,are you running workloadsin production?13
E-bookRespondents require a feature-rich security solution68% of respondents identify runtime threat detection and incident response as a must-have capabilityRespondents expect a lot out of their Kubernetes securityplatforms—with two-thirds of the respondents citing allbut network segmentation as a must-have capability.The capabilities span DevOps and security activities,underscoring the need for both broad and deep functionalityin container and Kubernetes security platforms.How would you rate the importance of the followingKubernetes security capabilities?This breadth also highlights the fact that securingKubernetes and containers requires involvement fromDev, Ops, and Security teams.Respondents identified image scanning/vulnerabilitymanagement (64%) and configuration management (64%)as two of the top three security capabilities they consider asmust-have. At least half of the respondents identified eachof these security capabilities as must-have.14
E-bookRespondents use a wide variety ofopen source security toolsSix different open source security tools are used by at least 20%of respondents, with KubeLinter and OPA as the top twoKubernetes is, first and foremost, a tool for developmentand DevOps teams to accelerate and scale containerizedapplication development, deployment, and management.Providers such as Red Hat, Amazon, Microsoft, andGoogle have added security features to enhance the basecapabilities in Kubernetes. At the same time, commercialsecurity vendors have stepped up to offer enterprise-readysecurity solutions for more advanced use cases.What open source tools do you use forKubernetes security?In parallel, the Kubernetes community has been veryactive in releasing open source security tools to fill in thesecurity gaps present in Kubernetes. Customers have arich selection of open source security tools to choose from,and our survey results shows that no single open sourcesecurity tool dominates the Kubernetes security market.KubeLinter and OPA are two of the most popular OSSfor security, but the difference between the third placeKube-bench (24%) and sixth place Falco (21%) is onlythree percentage points.15
E-bookKey takeaways for your container andKubernetes security journeyThe findings in this survey of over 500 respondents highlight the fact that organizations are putting at risk the core benefit of faster applicationdevelopment and release by not ensuring their cloud-native environments are built, deployed, and managed securely. With the prevalence ofmisconfigurations and vulnerabilities across organizations, security must shift left to be embedded into DevOps workflows instead of “boltedon” when the application is about to be deployed into production. With over half of our respondents delaying production deployment becauseof security concerns, a lack of security controls could inhibit business acceleration and innovation.1. Use Kubernetes-native security architectures and controls.3. Require portability across Kubernetes environments.Kubernetes-native security uses the rich declarative data and nativeWith most organizations deploying containers in both on-premisecontrols in Kubernetes to deliver several key security benefits.and public cloud environments (sometimes in multiple clouds),Analyzing the declarative data available in Kubernetes yields bettersecurity must apply consistently wherever your assets are running.security, with risk-based insights into configuration management,The common foundation is Kubernetes, so make Kubernetes yourcompliance, segmentation, and Kubernetes-specific vulnerabilities.source of truth, your point of enforcement, and your universalUsing the same infrastructure and its controls for applicationvisibility layer so you have consistent security. Managed Kubernetesdevelopment and security reduces the learning curve and enablesservices may quicken your organization’s ability to adopt Kubernetes,faster analysis and troubleshooting. It also eliminates operationalbut be careful about getting locked into cloud provider-specificconflict by ensuring security gains the same automation and scalabilitytooling and services.advantages that Kubernetes extends to infrastructure.2. Implement full life-cycle security, from build/deploy to runtime.4. Build a bridge between DevOps and Security.Security has long been viewed as a business inhibitor, especially byGiven most organizations expect either DevOps or Security teamsdevelopers and DevOps teams whose core mandates are to deliverto run container security platforms, your security tooling must helpcode fast. With containers and Kubernetes, security should become abridge Security and DevOps. To be effective, the platform must havebusiness accelerator by helping developers build strong security intosecurity controls that make sense in a containerized, Kubernetes-basedtheir assets right from the start. Look for a container and Kubernetesenvironment. It should also assess risk appropriately. Telling a developersecurity platform that incorporates DevOps best practices andto fix all 39 discovered vulnerabilities with a CVSS score of 7 or higher isinternal controls as part of its configuration checks. It should alsoinefficient. Identifying for that developer the three deployments that areassess the configuration of Kubernetes itself for its security posture,exposed to that vulnerability, and showing why they’re risky, will get youso developers can focus on feature delivery.action that will genuinely improve your security posture.16
E-bookAbout our respondents—containerruntime technologyDocker runtime engine remains dominant, with containerd a distant secondWhat container runtime(s) do you use?17
E-bookAbout our respondents—othercloud-native technologiesEmerging cloud-native technologies are still in early adoption stages.Only Function-as-a-Service (FaaS) and cloud-native CI/CD tools areseeing substantial use in pilot or production environments.What other cloud-native technologies are you considering or using?18
E-bookAbout our respondents—core demographicsWhich area best captures your functional role?What is your company size?What industry do you work in?19
E-bookLearn more about Red Hat AdvancedCluster Security for KubernetesRed Hat Advanced Cluster Security for Kubernetes is a Kubernetes-native container security platform that protectsyour application across build, deploy, and runtime as you progress on your container journey. As your environmentgrows more complex and you depend on more automation, our platform will let you operationalize security in thosemore sophisticated environments and keep pace with the speed of DevOps.Kubernetes-native security provides the followingcrucial benefits. Minimize operational risk: Align security withDevOps by using Kubernetes-native controls tomitigate threats and enforce security policies thatminimize operational risk to your applications.Ready to see Red Hat Advanced Cluster Securityfor Kubernetes in action? Get a personalized demotailored for your business and needs.Request demo Reduce operational cost: Reduce the overallinvestment in time, effort, and personnel, andstreamline security analysis, investigation, andremediation by using a common source of truth. Accelerate DevOps productivity: Acceleratethe pace of innovation by providing developersactionable and context-rich guardrails embeddedinto existing workflows and tooling that supportdeveloper velocity.20
E-book Executive Summary This edition of the State of Kubernetes Security Report examines how companies are adopting Kubernetes, containers, and cloud-native technologies while meeting the challenges of securing their vital Kubernetes applications. This report compiles the survey results from more th
